SUSE Manager Documentation


Contents

Proxy Quick Start
Installation & Troubleshooting Guide
User Guide
Reference Guide
Client Configuration Guide

SUSE Manager 2.1

Proxy Quick Start

Publication Date 19 Oct 2016

Copyright © 2016 SUSE LLC

Copyright © 2011-2014 Red Hat, Inc.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

Alternatively (at your option) this document is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Novell, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. Linux* is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.


Proxy Quick Start

SUSE Manager Proxy 2.1

Publication Date 19 Oct 2016


Abstract

SUSE® Manager Proxy is a SUSE Manager add-on and caches software packages on an internal, central server. The proxy caches patch updates from SUSE or custom RPMs generated by third-party organizations. A proxy allows to use bandwidth more effectively because client systems connect to the proxy for updates, and the SUSE Manager server is no longer required to handle all client requests. The proxy also supports transparent custom package deployment.

This Quick Start explains how to install and set up SUSE Manager Proxy and how to get started with the most important tasks.

1. Conceptual Overview

SUSE Manager Proxy is an open source (GPLv2) solution that provides the following features:

  • Cache software packages in a Squid proxy.

  • Client systems see the SUSE Manager Proxy as a SUSE Manager server instance.

  • The SUSE Manager Proxy is registered as a client system with the SUSE Manager server.

SUSE Manager Proxy's main purpose is to improve the overall SUSE Manager performance by reducing bandwidth requirements and accelerating response time.

2. System Requirements

The following section informs you about the system requirements. For supported clients and their requirements, see Section “Supported Client Systems” (Chapter 3, Requirements, ↑Installation & Troubleshooting Guide).

2.1. Hardware Requirements

Hardware requirements highly depend on your usage scenario. When planning proxy environments, consider the amount of data you wamt to cache on your proxy. If the proxy should be a 1:1 mirror of your SUSE Manager, the same amount of disk space is needed.

CPU

Required: a multi-core 64bit CPU (x86_64).

RAM

Required: 4 GB when only managing a few client systems.

Recommended for production use: 16 GB.

Free Disk Space

Required: 20 GB for base installation.

Additionally at least 25 GB for caching per distribution or channel; resizable partition strongly recommended.

[Note]

We strongly recommend to use disk space monitoring probes to avoid file system and database corruption due to a lack of disk space. Set a lower threshold than you would use for a regular system so as to notify the admin in advance of upcoming low disk space conditions. For more information on monitoring see Chapter 11, Monitoring — [Mon] (↑User Guide) and Appendix B, Probes (↑Reference Guide).

2.2. Other Requirements

[Important]Network Setup

For correct installation and setup of SUSE Manager Proxy, make sure the following requirements are fulfilled:

Hostname and IP Address

To guarantee that SUSE Manager Proxy's domain name can be resolved by its clients, the proxy and the client machines must be connected to a working Domain Name Server (DNS) server in the network.

The hostname of the SUSE Manager Proxy server must not contain uppercase letters as this might cause the jabberd messaging daemon to fail.

Novell Customer Center

For using SUSE Manager Proxy, you need an account at the Novell Customer Center (NCC) where your purchased products and product subscriptions are registered. Make sure you have the following subscriptions:

  • One or more subscriptions for SUSE Manager Proxy.

  • One or more subscriptions for SUSE Manager.

  • Subscriptions for the products on the client systems you want to register with SUSE Manager via SUSE Manager Proxy.

  • Subscriptions to client entitlements for the client system you want to register with SUSE Manager via SUSE Manager Proxy.

Network Time Protocol (NTP)

The connection to the Web server via Secure Sockets Layer (SSL) requires correct time settings on the server, proxy and clients. For this reason, all systems must use NTP.

Virtual Environments

For running SUSE Manager Proxy in virtual environments, use the following settings for the virtual machine (VM):

  • At least 1 GB of RAM

  • Bridged network

The following virtual environments are supported:

  • KVM

  • VMware

  • Hyper-V

For running SUSE Manager Proxy in KVM, VMware, or Hyper-V, use the SUSE Manager Proxy ISO image.

3. Installation and Setup

SUSE Manager Proxy is an application combined with an operating system (appliance). It can be deployed on industry hardware or in a virtual environment.

If SUSE Manager Proxy is registered with a SUSE Manager instance, it will receive updates directly from the configured SUSE Manager channel.

The YaST graphical user interface will guide you through the installation and the setup process. It is started in text mode. Use the →| key to navigate among individual elements. To select a value from a list, use the and arrow keys and press Enter. To activate an option, press the Space key.

3.1. Installation

The following procedure describes the installation on a physical machine. Make sure the machine you intend to use fulfills the “Hardware Requirements”. If you want to install the appliance in a virtual machine, additionally check the settings listed in Virtual Environments (↑Installation & Troubleshooting Guide).

Procedure 1. Installing the Appliance

[Warning]Loss of Data

Installing SUSE Manager Proxy on a physical machine will completely erase any data on the hard disk used for installation. Before you start the installation process, create a backup of your hard disks.

  1. Boot your future SUSE Manager Proxy server from the installation medium. Select Install/Restore SUSE Manager Proxy.

  2. If your machine contains more than one hard disk, you are asked which one to use for the installation of SUSE Manager Proxy. Navigate with the arrow keys, and use the space key to mark the desired hard disk. You are asked if you want to continue and you are warned that the installation will destroy all data on the disk.

  3. To proceed, answer with Yes. The deployment process takes over. This step may take some time as large amounts of data need to be unpacked and verified. After the verification, YaST firstboot is started.

  4. In the first screen, set the system Language and Keyboard Layout for your future SUSE Manager Proxy. Proceed with Next.

  5. In the next screen, set the root password for your SUSE Manager Proxy server and confirm it.

    Figure 1. YaST Firstboot—Password for the System Administrator

    YaST Firstboot—Password for the System Administrator

    Proceed with Next.

  6. In the following screen, read the licenses and agree to them. Proceed with Next. The installation routine checks some basic system requirements and depending on the results, lets you decide whether to proceed with the installation or cancel.

  7. In the next screen, configure the network settings. Note the network requirements listed in Section 2.2, “Other Requirements”. Either choose Use Following Configuration or Change to modify the network setup according to your wishes.

    Figure 2. YaST Firstboot— Network Configuration

    YaST Firstboot— Network Configuration

    Proceed with Next.

  8. Configure the Clock and Time Zone to use for your SUSE Manager server. Proceed with Next.

  9. Configure the NTP settings according to your wishes. For more information about the options, refer to Help. Note the NTP requirements listed in Section 2.2, “Other Requirements”. Proceed with Next.

  10. On the Installation Completed screen, select Finish to close YaST firstboot. The boot process continues.

  11. Wait for the boot process to finish.

3.2. Setup

After running YaST firstboot, log in as root, register SUSE Manager Proxy with SUSE Manager, then run the configure-proxy.sh setup script from the command-line. See the following sections for the details of this process:

3.2.1. Registering with SUSE Manager

Registering SUSE Manager Proxy with SUSE Manager is done with a bootstrap script that deploys all necessary information to the proxy. The bootstrap script refers some parameters like activation keys or GNU Privacy Guard (GPG ) keys that depend on your particular setup.

Procedure 2. Creating Activation Keys

Activation keys define entitlements and which channels and groups the client system is allowed to subscribe to. This information is passed on to all systems registered with a key. Each activation key is bound to the organization for which it has been created.

[Note]Activation Keys for New Organizations

If you need to create activation keys for a new organization, assign system entitlements first. For details, refer to Procedure “Assigning Entitlements to an Organization” (↑Reference Guide) and Section “Organization Management” (Chapter 4, Installation, ↑Installation & Troubleshooting Guide). The default organization has all necessary prerequisites by default.

  1. Log in to the SUSE Manager Web interface as administrator.

  2. Switch to the Systems tab and select Activation Keys.

  3. Click the Create New Key link at the upper right corner.

  4. Enter a Description to identify the generated activation key.

  5. If you want the key to be generated automatically, leave the Key input field empty. If you want to use a certain string for the key, define the desired string in the Key input field.

    [Warning]Allowed Characters

    Do not use commas or double quotes within the key string. All other characters are allowed. Commas are used as separators when registering client systems with multiple activation keys with rhnreg_ks.

    For more information, see Section “Managing Activation Keys” (Chapter 3, Systems, ↑User Guide).

  6. To restrict the number of client systems that can be registered with the activation key, set a Usage Limit by entering a maximum number of systems.

    For unlimited use, leave this field empty.

  7. With Base Channels, set the primary channel for the key. This can be either the SUSE Manager Default channel or a custom base channel. Additionally, add the Proxy channel to the list.

    Choosing SUSE Manager Default allows proxy systems to register with the default SUSE-provided channel that corresponds to their installed version of SUSE Linux Enterprise.

  8. Activate the Add-On Entitlements you want to grant to the proxy systems registered with that key. Activate at least Provisioning, which is a requirement for the proxy systems.

  9. If any newly registered proxy systems of your organization should inherit the properties of this key, activate the Universal Default checkbox. Only one universal default activation key can be defined per organization.

    [Warning]Changing the Default Activation Key

    Only one universal default activation key can be defined per organization. If some other key is already the default activation key for your organization, this check box will automatically unset the check box for that other key.

  10. Generate the key by clicking Create Activation Key. The prefix of the activation key indicates which organization (by ID number) owns the activation.

Figure 3. Example Activation Key

Example Activation Key

[Note]Activation Key Update

After modifying or adding any components that are bound to an existing activation key (for example adding channels), make sure to update the key under Systems+Activation Keys+KEY_TO_MODIFY+Update Activation Key.

The next steps are to generate the bootstrap.sh script on the SUSE Manager server, then edit a copy of the script and run the modified script on each proxy machine that you want to register with SUSE Manager.

Procedure 3. Generating the Bootstrap Script

Several options in the bootstrap script can be set via the SUSE Manager Web interface, for example, if remote command execution or remote configuration of proxy systems should be allowed.

  1. On the SUSE Manager Web interface, switch to the Admin tab and select SUSE Manager Configuration+Bootstrap Script.

  2. Check the options listed on the page and activate or deactivate them according to your needs.

    [Note]Remote Command Execution and Configuration

    If you choose to Enable Remote Configuration or Enable Remote Commands, make sure that the rhncfg-actions package is installed on the proxy systems:

    1. Switch to the Systems tab and select Activation Keys.

    2. From the list of activation keys, click the one you want to modify.

    3. Click the Packages subtab, enter rhncfg-actions into the input field and click Update Key.

    The required package for remote command execution and configuration will automatically be installed on all systems registered with the respective activation key.

  3. Click the Update button. The necessary bootstrap script is generated and stored on the server's file system in the /srv/www/htdocs/pub/bootstrap directory. It is also available from https://susemanager.example.com/pub/bootstrap/.

  4. Proceed with the following procedure, Procedure 4, “Editing the Bootstrap Script and Registering Proxy Systems”.

Procedure 4. Editing the Bootstrap Script and Registering Proxy Systems

Adjust the generated bootstrap script according to your needs. The minimal requirement is to include the activation key. We strongly recommend to also include one or more GPG keys (for example, your organization key, and package signing keys). Then execute the resulting script on each proxy system that you want to register with SUSE Manager (either centrally from the SUSE Manager server or decentralized on each system.)

  1. Log in as root to the SUSE Manager server.

  2. Create a copy of the automatically generated script:

    cd /srv/www/htdocs/pub/bootstrap
    cp bootstrap.sh bootstrap-edited.sh
  3. Edit the copy as follows:

    1. Search for the ACTIVATION_KEYS entry and enter the activation key from Procedure 2, “Creating Activation Keys”. Make sure to also include the organization prefix in the key, for example:

      ACTIVATION_KEYS=1-fef154ddcf0d515fc
    2. Search for the ORG_GPG_KEY entry and enter one or more GPG keys. Multiple keys must be entered as a comma-separated list.

    3. Adjust further parameters, if needed. For details, refer to the comments in bootstrap.sh.

    4. To enable the script for execution, remove the exit 1 entry from the message block. The last lines of the message block should now read:

      echo "the exit below)"
      echo
  4. Save the edited version of the script.

  5. Use one of the following possibilities to execute the edited script on all proxy machines that you want to register with SUSE Manager:

    • Log in as root on the SUSE Manager server and execute the following commands:

      cd /srv/www/htdocs/pub/bootstrap/
      cat bootstrap-edited.sh | ssh \
      root@client_hostname /bin/bash
    • Log in to each proxy client system and execute the following command (all on one line):

      curl -Sks https://server_hostname/pub
      /bootstrap/bootstrap-edited.sh | /bin/bash

    The proxy clients are registered with the SUSE Manager server as specified in the bootstrap script. The SUSE Manager Web interface shows the registered proxies as client systems on the Systems tab.

[Note]Missing repodata/repomd.xml

If the bootstrap script warns about missing repodata/repomd.xml, channel synchronizing is still running. Registration will succeed nevertheless, and thus package or patch updates will happen later as configured.

To be on the save side, check on the Web interface when Repo Cache Status is Completed: Click Channels, then the Channel Name to see the Details page. Here you can check basic details, manager accounts, available patches and packages, as well as subscribed systems.

3.2.2. Running configure-proxy.sh

On the proxy, log in as root and execute the interactive configure-proxy.sh script; answer questions about SUSE Manager Parent, CA Chain, Proxy version, Trace back email, Use SSL, HTTP Proxy, and provide input for an SSL certificate. A SUSE Manager Parent can be either another proxy server or a SUSE Manager server. Configuration input for monitoring follows. Next steps are CA password, whether to create and populate the configuration channel, and the credentials of the SUSE Manager server (user name and password).

If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files. When the mandatory files are copied, re-run configure-proxy.sh.

In the end, configure-proxy.sh activates services required by SUSE Manager Proxy, such as squid, apache2, and jabberd.

To check the status of the proxy system and its clients, click the proxy system's details page on the Web interface (Systems+Proxy, then the system name). Connection and Proxy subtabs display the respective status information.

4. Migrating SUSE Manager Proxy 1.7 to SUSE Manager Proxy 2.1

Registered SUSE Manager Proxy servers can be migrated as any other registered SUSE Manager client system as described in Chapter 6, Service Pack Migration (↑Client Configuration Guide).

[Note]Removing Package ext4dev-kmp-default

If the package ext4dev-kmp-default is installed on your proxy system, it has to be removed before the migration is triggered to successfully migrate a SUSE Manager Proxy from 1.2 to 1.7. Otherwise the migration will fail because there is no update candidate for this package available in SP2. To remove the package using SUSE Manager, proceed as follows:

  • Select the proxy system and then click Software+Packages+List/Remove.

  • Find ext4dev-kmp-default in the list of removable packages.

  • Mark the check box, click Remove Packages and confirm the package removal.

Figure 4. SUSE Manager Proxy Migration

SUSE Manager Proxy Migration

[Warning]jabberd Not Running

After migrating a SUSE Manager Proxy jabberd might not be running and jabberd/sm[2490]: db: couldn't open storage db: Invalid argument will be logged in /var/log/messages.

To fix this issue, run:

rcjabberd stop
rm -f /var/lib/jabberd/db/*
rcjabberd start

5. Registering Clients via SUSE Manager Proxy

Registering clients via SUSE Manager Proxy is done almost the same way as registering clients directly with the SUSE Manager server. The difference is that you create a bootstrap script on the SUSE Manager Proxy with a command-line tool. The bootstrap script then deploys all necessary information to the clients. The bootstrap script refers some parameters (such as activation keys or GPG keys) that depend on your specific setup. For background information, see the Client Configuration Guide.

  1. Create the client activation key on the SUSE Manager server using the Web interface as explained in Section “Client Setup” (Chapter 4, Installation, ↑Installation & Troubleshooting Guide).

  2. On the proxy, execute the mgr-bootstrap command-line tool as root. If needed, either edit the resulting bootstrap script or use additional command-line switches such as --activation-keys:

    mgr-bootstrap \
      --activation-keys=key-string
  3. Execute the bootstrap script on the clients as described in Procedure “Editing the Bootstrap Script and Registering Clients” (↑Installation & Troubleshooting Guide) or above for the proxy systems in Procedure 4, “Editing the Bootstrap Script and Registering Proxy Systems”.

The clients are registered with the SUSE Manager Proxy specified in the bootstrap script. To check the status of the proxy connected client system, click the client system's details page on the SUSE Manager Web interface (Systems, then select the system name). The Connection subtab displays the connection path to the client.

For more information about bootstrapping, refer to Chapter 5, Using Bootstrap (↑Client Configuration Guide).

6. Documentation Updates

This section contains information about documentation content changes made to the Proxy Quick Start.

This document was updated on the following dates:

6.1. April 21, 2014

Updates were made to the following sections. The changes are explained below.

6.2. January 25, 2013

Updates were made to the following sections. The changes are explained below.

Section 2.2, “Other Requirements”

Xen no longer is a supported virtual environment.

6.3. November 28, 2012

Updates were made to the following sections. The changes are explained below.

7. Legal Notice

Copyright © 2016 SUSE LLC

Copyright © 2011-2014 Red Hat, Inc.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

Alternatively this document is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Novell, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. Linux* is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.

8. GNU Free Documentation License

Copyright (C) 2000, 2001, 2002 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.

  15. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

ADDENDUM: How to use this License for your documents

   Copyright (c) YEAR YOUR NAME.
   Permission is granted to copy, distribute and/or modify this document
   under the terms of the GNU Free Documentation License, Version 1.2
   or any later version published by the Free Software Foundation;
   with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
   A copy of the license is included in the section entitled “GNU
   Free Documentation License”.
  

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with...Texts.” line with this:

   with the Invariant Sections being LIST THEIR TITLES, with the
   Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
  

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

Legal Information

Publication Date 19 Oct 2016


1. GNU Free Documentation License

Copyright (C) 2000, 2001, 2002 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.

  15. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

ADDENDUM: How to use this License for your documents

   Copyright (c) YEAR YOUR NAME.
   Permission is granted to copy, distribute and/or modify this document
   under the terms of the GNU Free Documentation License, Version 1.2
   or any later version published by the Free Software Foundation;
   with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
   A copy of the license is included in the section entitled “GNU
   Free Documentation License”.
  

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with...Texts.” line with this:

   with the Invariant Sections being LIST THEIR TITLES, with the
   Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
  

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

SUSE Manager 2.1

Installation & Troubleshooting Guide

Publication Date 19 Oct 2016

Copyright © 2016 SUSE LLC

Copyright © 2011-2014 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution-Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

This document is an adaption of original works found at https://access.redhat.com/site/documentation/en-US/Red_Hat_Network_Satellite/5.4/ and https://access.redhat.com/site/documentation/en-US/Red_Hat_Network_Satellite/5.5/ and https://access.redhat.com/site/documentation/en-US/Red_Hat_Satellite/.

Red Hat, as a licensor of these documents, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries. All other trademarks are the property of their respective owners.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. Linux* is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.


Contents

About This Guide
1. Available Documentation
2. Feedback
3. Documentation Conventions
1. Conceptual Overview
1.1. Main Components
1.2. Process Flow
1.3. Setup Scenarios and Security
1.4. Benefits
2. Example Topologies
2.1. Single SUSE Manager Topology
2.2. Multiple SUSE Manager Servers—Horizontally Tiered
2.3. SUSE Manager with SUSE Manager Proxies—Vertically Tiered
3. Requirements
3.1. System Requirements
3.2. External Database Requirements
3.3. Additional Requirements
3.4. Prerequisites
4. Installation
4.1. Summary of Steps
4.2. Installation
4.3. Setup
4.4. Setup Without Internet Connection
4.5. Basic Configuration
4.6. Satellite to SUSE Manager Server Migration
5. SUSE Manager on IBM z Systems
5.1. Introduction
5.2. Base System Requirements
5.3. Additional Requirements
5.4. Storage Preparation
5.5. SUSE Linux Enterprise 12 Required Functionality
5.6. SUSE Manager Installation
6. Importing and Synchronizing with Inter-Server Sync
6.1. Exporting with mgr-exporter
6.2. Importing with SUSE Manager Synchronization Tool mgr-inter-sync
6.3. Synchronizing
6.4. Inter-Server Synchronization
6.5. Organizational Synchronizing
6.6. Inter-Server Synchronization Use Cases
7. Troubleshooting
7.1. Installation and Configuration
7.2. General Problems
7.3. Configuring Reliable SUSE Manager Setup
7.4. Gathering Information with spacewalk-report
7.5. Changing the CSV Separator
7.6. Log Files
7.7. Naming Custom Channels
7.8. Accessing Local Channels without Proxy
7.9. Using a Proxy with Certificates to Access the Internet
7.10. Discovering Hosts and Subnets in the Network
7.11. Host Not Found/Could Not Determine FQDN
7.12. RPC Connection Timeout Settings
7.13. Connection Errors
7.14. SUSE Manager Debugging
7.15. Resetting the SUSE Manager Password
7.16. Registering a Client Manually with suse_register
7.17. Multiple Mirror Credentials
7.18. Invoking spacecmd
8. Maintenance
8.1. Managing SUSE Manager with spacewalk-service
8.2. Updating SUSE Manager
8.3. Creating Up-to-date Bootstrap Repositories
8.4. Backing Up SUSE Manager
8.5. Migrating Patches from Old to New Naming
8.6. Configuring SUSE Manager's Database (smdba)
8.7. Cloning SUSE Manager with the Embedded Database
8.8. Establishing Redundant SUSE Manager Servers with Stand-Alone Database
8.9. Conducting SUSE Manager-Specific Tasks
8.10. Automating Synchronization
8.11. Implementing PAM Authentication
8.12. Enabling Push to Clients
8.13. SSH Server Push
8.14. Uploading and Maintaining Custom Packages
8.15. Configuring Audit Log Keeper
8.16. Generating Spacewalk Reports
8.17. Online Migration with YaST Wagon
9. For More Information
A. Documentation Updates
A.1. October 20, 2016
A.2. February 24, 2016
A.3. December 17, 2015
A.4. September 25, 2015
A.5. July 31, 2015
A.6. February 12, 2015
A.7. February 6, 2015
A.8. December 5, 2014
A.9. April 30, 2014
A.10. April 29, 2014
A.11. November 22, 2013
A.12. September 9, 2013
A.13. August 23, 2013
A.14. January 25, 2013
A.15. November 28, 2012

About This Guide

SUSE® Manager lets you efficiently manage a set of Linux systems and keep them up to date. It provides automated and cost-effective software management, asset management, system provisioning, and monitoring capabilities. SUSE Manager is compatible with Red Hat Satellite Server and offers seamless management of both SUSE® Linux Enterprise and Red Hat Enterprise Linux client systems.

This guide is intended for system administrators.

Many chapters in this manual contain links to additional documentation resources available on the installed system and on the Internet.

For an overview of the documentation available for your product and the latest documentation updates, refer to http://www.suse.com/documentation/suse_manager/ or to the following sections.

HTML versions of the manuals are also available from the Help tab of the SUSE Manager Web interface.

[Note]Obtaining the Release Notes

Although this manual reflects the most current information possible, read the SUSE Manager Release Notes for information that may not have been available prior to the finalization of the documentation. These notes can be found at http://www.suse.com/documentation/suse_manager/.

1. Available Documentation

The following manuals are available on this product:

Installation & Troubleshooting Guide

Lists installation scenarios and example topologies for different SUSE Manager setups. Guides you step by step through the installation, setup and basic configuration of SUSE Manager. Also contains detailed information about SUSE Manager maintenance and troubleshooting.

Proxy Quick Start (↑Proxy Quick Start)

Gives an overview of the installation and setup of SUSE Manager Proxy.

User Guide (↑User Guide)

Guides through common use cases and explains the Web interface.

Client Configuration Guide (↑Client Configuration Guide)

Describes best practices for setting up clients to connect to a SUSE Manager server or SUSE Manager Proxy.

Reference Guide (↑Reference Guide)

Reference documentation that covers administration topics like registering and updating client systems, configuring the SUSE Manager daemon, monitoring client systems, and more. Also contains a glossary with key terms used in the SUSE Manager context.

HTML versions of the product manuals can be found in the installed system under /usr/share/doc/manual. Find the latest documentation updates at http://www.novell.com/documentation where you can download PDF or HTML versions of the manuals for your product.

2. Feedback

Several feedback channels are available:

Bugs and Enhancement Requests

For services and support options available for your product, refer to http://www.suse.com/support/.

To report bugs for a product component, go to https://scc.suse.com/support/requests, log in, and click Create New.

User Comments

We want to hear your comments about and suggestions for this manual and the other documentation included with this product. Use the User Comments feature at the bottom of each page in the online documentation or go to http://www.suse.com/doc/feedback.html and enter your comments there.

Mail

For feedback on the documentation of this product, you can also send a mail to doc-team@suse.de. Make sure to include the document title, the product version and the publication date of the documentation. To report errors or suggest enhancements, provide a concise description of the problem and refer to the respective section number and page (or URL).

3. Documentation Conventions

The following typographical conventions are used in this manual:

  • /etc/passwd: directory names and filenames.

  • placeholder: replace placeholder with the actual value.

  • PATH: the environment variable PATH.

  • ls, --help: commands, options, and parameters.

  • user: users or groups.

  • Alt, Alt+F1: a key to press or a key combination; keys are displayed with uppercase letters as on a keyboard.

  • File, File+Save As: menu items, buttons.

  • ►amd64 em64t: This paragraph is only relevant for the specified architectures. The arrows mark the beginning and the end of the text block.

  • Dancing Penguins (Chapter Penguins, ↑Another Manual): This is a reference to a chapter in another manual.

Chapter 1. Conceptual Overview

SUSE Manager provides a solution to organizations requiring absolute control over and privacy of the maintenance and package deployment of their servers. It allows customers the greatest flexibility and power in keeping servers secure and updated.

1.1. Main Components

SUSE Manager consists of the following components:

Database

SUSE Manager can be used in conjunction with a stand-alone database (for example, the organizations' existing database) or with an embedded database. The embedded database comes bundled with SUSE Manager and is installed on the same machine as the SUSE Manager server.

Some differences exist when using SUSE Manager with an external database as opposed to the embedded database. These affect mainly hardware requirements, but also some installation steps, maintenance or troubleshooting activities. Differing instructions are either marked with embedded database or stand-alone database throughout this guide.

SUSE Manager

Core business logic and entry point for the update tool running on client systems. The SUSE Manager server also includes an Apache HTTP Server that serves XML-RPC requests.

SUSE Manager Web Interface

For advanced management of systems, system groups, users, and channels.

RPM Repository

Repository for default packages (and custom RPM packages identified by the organization).

Management Tools

The following tools are available:

  • Database and file system synchronization tools.

  • RPM importing tools.

  • Channel maintenance tools (Web-based).

  • Patch management tools (Web-based).

  • User management tools (Web-based).

  • Client system and system grouping tools (Web-based).

  • An update tool on the client systems.

    If you have Red Hat Enterprise Linux clients that use the Red Hat Update Agent (up2date or yum) or RHN Registration Client (rhn_register), these applications must be reconfigured or replaced with spacewalk-client-tools to retrieve updates from the organization's internal SUSE Manager server or SUSE Manager Proxy. After this one-time reconfiguration, these client systems can retrieve updates locally using the Red Hat Update Agent, or system administrators can schedule actions through the SUSE Manager Web interface.

The SUSE Manager management tools are used to synchronize the SUSE Manager database and package repository with the Novell Customer Center (NCC). The SUSE Manager import tool allows the system administrator to include custom RPM packages in the package repository.

For an explanation of key terms in the SUSE Manager context, refer to the Glossary (↑Reference Guide).

1.2. Process Flow

When receiving an update request from a client, the organization's internal SUSE Manager server queries its database, authenticates the client system, identifies the updated packages available for the client system, and sends the requested RPMs to the client system. Depending on the client's preferences, the package may also be installed. If the packages are installed, the client system sends an updated package profile to the SUSE Manager database. Those packages are removed from the list of outdated packages for the client.

1.3. Setup Scenarios and Security

The organization can configure the Web site for SUSE Manager server to be accessible from the local area network only or from both the local area network and the Internet. Both setups allow full control over client systems, system groups, and users. System profiles containing hardware and software information of the client systems are stored locally on the customer's SUSE Manager server. When a client system requests package updates, only the applicable packages for the client are returned. All package management tasks, including patch updates, are performed through the local area network.

SUSE Manager can be used in combination with a SUSE Manager Proxy server to deliver a distributed, self-contained deployment for the organization. For example, an organization can maintain one SUSE Manager server in a secure location. Any client systems with local network access to SUSE Manager can connect to it. Other remote offices can maintain SUSE Manager Proxy server installations that connect to the SUSE Manager server. The different locations inside the organization must be networked. This can be a private network—an Internet connection is not required for any of the systems.

Figure 1.1. Using SUSE Manager and SUSE Manager Proxy Server Together

Using SUSE Manager and SUSE Manager Proxy Server Together

1.4. Benefits

Advantages of using SUSE Manager include:

  • Scalability — a single system administrator can set up and maintain hundreds or thousands of SUSE Linux Enterprise or Red Hat Enterprise Linux client systems more easily, accurately, and quickly than they could maintain a single system without SUSE Manager.

    SUSE Manager may oversee an entire organization's servers in combination with a SUSE Manager Proxy server.

  • Security — all communication between registered systems and SUSE Manager takes place over secure Internet connections.

  • Control — clients' system profiles are stored on the local SUSE Manager server.

  • Access control — system administrators can be restricted to access only those systems within their maintenance responsibilities.

  • Efficiency and bandwidth — packages are delivered significantly faster over a local area network. The bandwidth used for transactions between the clients and the SUSE Manager server is controlled by the organization on the local area network.

  • Overview about patches — easily view patch alerts for all your client systems through one Web site.

  • Customized updates — custom channels allow fine-grained control of the delivery of custom software packages. SUSE Manager allows you to create a truly automated delivery system for custom packages as well as any SUSE Linux Enterprise or Red Hat Enterprise Linux packages required by client systems.

  • Scheduled actions — use the SUSE Manager Web interface to schedule actions, including patch updates, package installations, and software profile updates.

  • Standard protocols — used to maintain security and increase capability. For example, XML-RPC enables SUSE Manager to do much more than merely download files.

  • Simplification — maintaining SUSE Linux Enterprise and Red Hat Enterprise Linux systems becomes a simple, automated process.

Chapter 2. Example Topologies

SUSE Manager can be set up in multiple ways, depending on a number of factors like the following:

  • the total number of client systems to be served by SUSE Manager,

  • the maximum number of clients expected to connect concurrently to SUSE Manager,

  • the number of custom packages and channels to be served by SUSE Manager,

  • the number of SUSE Manager servers used in the customer environment,

In the following, find a simple setup example and two examples demonstrating how to effectively balance loads for larger environments.

2.1. Single SUSE Manager Topology

Using a single SUSE Manager to serve your entire network is adequate to service a medium-sized group of clients. However, performance will be compromised if the number of clients requesting packages grows.

Figure 2.1. Single SUSE Manager Topology

Single SUSE Manager Topology

2.2. Multiple SUSE Manager Servers—Horizontally Tiered

For larger networks, distributing the load of client requests becomes important. For this purpose, you can use several SUSE Manager servers in parallel as illustrated in Figure 2.2, “SUSE Manager Servers—Horizontally Tiered” or a combination of a SUSE Manager server with several SUSE Manager Proxy servers to which clients connect directly as shown in Figure 2.3, “SUSE Manager with SUSE Manager Proxies—Vertically Tiered”.

It is possible to synchronize content between SUSE Manager instances using the mgr-exporter and mgr-nnc-sync -m commands. This feature is discussed in detail in Section 6.1, “Exporting with mgr-exporter.

Figure 2.2. SUSE Manager Servers—Horizontally Tiered

SUSE Manager Servers—Horizontally Tiered

However, using a horizontal structure causes additional maintenance.

2.3. SUSE Manager with SUSE Manager Proxies—Vertically Tiered

An alternative method to balance load is to install SUSE Manager Proxy servers below a SUSE Manager. These proxies connect to the SUSE Manager server for packages from NCC and custom packages created locally. In essence, the proxies act as clients of the SUSE Manager server.

This vertically tiered setup requires that channels and RPMs be created only on the SUSE Manager server. In this manner, the proxies inherit and then serve packages from a central location.

The Proxy Servers' SSL certificates should also be set up so that the SUSE Manager Proxy servers become clients of the SUSE Manager. These Proxy servers should also be set up to serve content to client systems simultaneously. This process is described in the Section “Configuring Client Systems to Use Certificates” (Chapter 3, SSL Infrastructure, ↑Client Configuration Guide).

Figure 2.3. SUSE Manager with SUSE Manager Proxies—Vertically Tiered

SUSE Manager with SUSE Manager Proxies—Vertically Tiered

Chapter 3. Requirements

For requirements and prerequisites to be met before installation, refer to Section 3.1, “System Requirements” and Section 3.4, “Prerequisites”. If you want to use SUSE Manager with an external database, refer to Section 3.2, “External Database Requirements”.

3.1. System Requirements

The following sections inform about the system requirements and some prerequisites for SUSE Manager, including hardware, database, supported clients, and other requirements. The base system for SUSE Manager 2.1 is SLES 11 SP 3.

3.1.1. Server Requirements

Hardware

Required/Recommended

CPU

Required: a multi-core 64bit CPU (x86_64).

RAM

Required: 4 GB when only managing a few client systems.

Recommended for production use: 16 GB.

Free Disk Space

Required: 20 GB for base installation.

Additionally at least 25 GB for caching per distribution or channel; resizable partition strongly recommended.

For examples of sizing requirements for SUSE Manager, see https://www.suse.com/support/kb/doc.php?id=7015050.

[Note]

We strongly recommend to use disk space monitoring probes to avoid file system and database corruption due to a lack of disk space. Set a lower threshold than you would use for a regular system so as to notify the admin in advance of upcoming low disk space conditions. For more information on monitoring see Chapter 11, Monitoring — [Mon] (↑User Guide) and Appendix B, Probes (↑Reference Guide).

3.1.2. Supported Client Systems

Clients with the following operating systems and architectures are supported for registration at SUSE Manager:

System

Supported Architectures

SUSE Linux Enterprise 11 SP4 *)

x86, x86_64, Itanium, IBM POWER, IBM z Systems

SUSE Linux Enterprise 12

x86_64, IBM POWER (ppc64le), IBM z Systems

Red Hat Enterprise Linux 5

x86, x86_64

Red Hat Enterprise Linux 6

x86, x86_64

Red Hat Enterprise Linux 7

x86, x86_64

Novell Open Enterprise Server 11, 11 SP1, and 11 SP2

x86, x86_64

*) SUSE Linux Enterprise 11 clients are supported only with LTSS, unless using SUSE Linux Enterprise Server 11 SP4, which still has general support.

[Warning]Do Not Register SUSE Manager Against Itself

You must not register a SUSE Manager instance against itself!

The reason is that if patching goes wrong, you would not be able to apply a patch to patch the SUSE Manager instance back into a working condition.

3.2. External Database Requirements

This section applies only to SUSE Manager if used with a stand-alone database. The requirements for the embedded database are included in Section 3.1, “System Requirements”. SUSE Manager supports Oracle Database 10g and 11g. The stand-alone database must not run on the same server as the SUSE Manager.

A single 6 GB tablespace is recommended for most installations. It possibly works for many customers with a smaller tablespace. An experienced Oracle database administrator (DBA) will be necessary to assess sizing issues. However, keep in mind that the exact size of the database depends on many factors, such as number of systems managed, number of packages installed on the client systems, and number of packages imported. For example, 1000 packages need approximately 100 MB in the database. Due to these factors, database storage may grow rapidly.

Although you should be generous in your database sizing estimates, you must consider that size affects the time to conduct backups and adds load to other system resources. If the database is shared, selecting the right hardware and spacing entirely depend on what else is using it.

Additionally, block sizes must be a minimum of 8 KB for SUSE Manager to install properly.

The Oracle database should have a user assigned to SUSE Manager with full DDL and DML access to that user's default tablespace. The user needs standard connection information for the database at the time of installation.

Before installing SUSE Manager some system-level ALTER statements must be executed:

alter system set job_queue_processes=1000;
alter system set processes = 400 scope=spfile;
alter system set deferred_segment_creation=FALSE;

Also, the charset must be set to UTF-8. The following example script switches the character set and executes the ALTER statements:

# Run this as user oracle:
cat - << EOF | sqlplus /nolog
connect / as sysdba;
select value from nls_database_parameters where parameter='NLS_CHARACTERSET';
shutdown immediate;
startup mount;
alter system enable restricted session;
alter system set job_queue_processes=0;
alter database open;
alter database character set UTF8;
alter database character set internal_use utf8;
shutdown immediate;
startup;
alter system set job_queue_processes=1000;
alter system set processes = 400 scope=spfile;
alter system set deferred_segment_creation=FALSE;
EOF

The precise access levels required by the Oracle user (susemanager) are as follows:

  • ALTER SESSION

  • CONNECT

  • CREATE CLUSTER

  • CREATE INDEXTYPE

  • CREATE SEQUENCE

  • CREATE SYNONYM

  • CREATE TABLE

  • CREATE VIEW

  • CREATE OPERATOR

  • CREATE PROCEDURE

  • CREATE TRIGGER

  • CREATE TYPE

  • CREATE SESSION

  • EXECUTE ON DBMS_LOB

  • RESOURCE

  • UNLIMITED TABLESPACE

Here's an example script to grant these permissions in one go:

cat - << EOF | sqlplus /nolog
connect / as sysdba;
create user susemanager identified by password default tablespace tablespace;
GRANT CONNECT, RESOURCE TO SUSEMANAGER;
ALTER USER SUSEMANAGER DEFAULT ROLE NONE;
grant ALTER SESSION to susemanager;
grant CREATE SEQUENCE to susemanager;
grant CREATE SYNONYM to susemanager;
grant CREATE TABLE to susemanager;
grant CREATE VIEW to susemanager;
grant CREATE PROCEDURE to susemanager;
grant CREATE TRIGGER to susemanager;
grant CREATE TYPE to susemanager;
grant CREATE SESSION  to susemanager;
grant CREATE CLUSTER to susemanager;
grant CREATE INDEXTYPE to susemanager;
grant CREATE OPERATOR to susemanager;
grant UNLIMITED TABLESPACE to susemanager;
grant EXECUTE on DBMS_LOB to susemanager;
EOF

Additional database requirements include:

  • Security Identifier (SID),

  • Listener Port,

  • Username,

  • UTF-8 character set.

Two additional suggested recommendations for the user's default tablespace include:

  • Uniform Extent Size,

  • Auto Segment Space Management.

[Important]"UTF8" Charset Mandatory

Ensure that the NLS/charset is set to "UTF8" when using an external database, not "AL32UTF8" or other charsets. Using other charsets may lead to problems later.

The disk layout on the database machine is independent of SUSE Manager and entirely up to the customer.

[Note]For More Information

For more information, see http://wiki.novell.com/index.php/SUSE_Manager/RDBMS.

3.3. Additional Requirements

[Important]Network Setup

For correct installation and setup of SUSE Manager, make sure the following requirements are met.

Fully Qualified Domain Name (FQDN):

The SUSE Manager server must resolve its own FQDN correctly, otherwise cookies will not work properly on the Web interface.

Hostname and IP Address:

To guarantee that SUSE Manager's domain name can be resolved by its clients, the server and the client machines must be linked to a working Domain Name System (DNS) server in the customer environment.

The hostname of the SUSE Manager server must not contain uppercase letters as this might cause jabberd to fail.

[Important]Renaming SUSE Manager Server Not Supported

Choose the hostname of the SUSE Manager server carefully. Once installed renaming is not supported.

For more information, see http://wiki.novell.com/index.php/SUSE_Manager/HostnameChange.

Full Access:

Client systems need full network access to the SUSE Manager's services and ports.

Firewall Rules:

Protect your SUSE Manager with a firewall against the Internet by blocking all unnecessary and unused ports.

Client systems connect to SUSE Manager via ports 80, 443, and 4545 (if monitoring is enabled). In addition, enabling push actions from SUSE Manager to client systems, as described in Section 8.12, “Enabling Push to Clients”, requires inbound connections on port 5222. If SUSE Manager will also push to a SUSE Manager proxy, you must allow inbound connections on port 5269.

SUSE Manager and SUSE Manager Proxy both contact several external addresses in order to maintain updates and entitlements. Which hostnames are utilized depends on if you are using legacy Novell Customer Center or have migrated to SUSE Customer Center. It is highly recommended that you migrate to SUSE Customer Center. The following lists provide the up-to-date hostnames for each service requiring permission when used in combination with corporate firewall and content filters.

SUSE Customer Center Hostnames (Recommended)

Novell Customer Center Hostnames (Legacy)

Table 3.1. Ports to Open on SUSE Manager

Port

Direction

Reason

67

Inbound

Open this port to configure the SUSE Manager system as a DHCP server for systems requesting IP addresses.

69

Inbound

Open this port to configure SUSE Manager as a PXE server and allow installation and reinstallation of PXE-boot enabled systems.

80

Outbound

SUSE Manager server uses this port to reach Novell Customer Center

80

Inbound

WebUI, client, and proxy server requests come in via either http or https.

443

Inbound

WebUI, client, and proxy server requests come in via either http or https.

443

Outbound

SUSE Manager uses this port to reach Novell Customer Center (unless running in a disconnected mode with SMT—as described in Section 4.4, “Setup Without Internet Connection”).

4545

Outbound

SUSE Manager Monitoring makes connections to rhnmd running on client systems if Monitoring is enabled and probes are configured for registered systems.

5222

Inbound

Required by osad running on the client systems if you plan to push actions to client systems.

5269

Inbound/Outbound

Needed if you push actions to or via a SUSE Manager Proxy.


For reference, here are also listings of ports to open on the client systems and the SUSE Manager Proxy server.

Table 3.2. Ports to Open on the Client Systems

Port

Direction

Reason

80 and 443

Outbound

To reach the SUSE Manager server or SUSE Manager Proxy server.

22

Inbound

Required when using ssh-push or ssh-push-tunnel contact methods.

4545

Inbound

For connections from the server or proxy server for monitoring.

5222

Outbound

For push actions with the server or proxy server.


Table 3.3. Ports to Open on the Proxy Servers

Port

Direction

Reason

22

Inbound

Required when using ssh-push or ssh-push-tunnel contact methods. Check-in on clients connected to a SUSE Manager Proxy will be initiated on the SUSE Manager Server and hop through through to clients.

80 and 443

Outbound

To reach the SUSE Manager server.

4545

Outbound

For monitoring and probes connecting rhnmd running on the client systems.

5222

Inbound

For push actions and connections issued by osad running on the client systems.

5269

Inbound/Outbound

For push actions with the server.


Synchronized System Times:

The connection to the Web server via Secure Sockets Layer (SSL) requires correct system time on server and clients. For this reason, SUSE Manager server and all client systems must use NTP. If SUSE Manager is used with a stand-alone database, the machine running the database must be set to the same time zone as SUSE Manager.

Novell Customer Center account:

For using SUSE Manager, you need an account at the Novell Customer Center (NCC), where your purchased products and product subscriptions are defined. Make sure to have the following subscriptions:

  • one or more subscriptions for SUSE Manager,

  • subscriptions for the products on the client systems you want to register with SUSE Manager,

  • subscriptions to client entitlements for the client system you want to register with SUSE Manager.

Keep backups of login information in multiple secure places:

Record all relevant usernames, passwords and other login information. For SUSE Manager, this includes usernames and passwords for the Organization Administrator account, the primary administrator account on SUSE Manager itself, SSL certificate generation, and database connection (which also requires a SID, or net service name). We strongly recommend this information be copied onto two separate electronic media, printed out on paper, and stored in a fireproof safe.

Supported Browsers

SUSE Manager supports the latest versions of IE, Firefox, Chrome and the version of Firefox shipped with our latest SUSE Linux Enterprise version. Other browsers may work, but are not tested and supported.

Virtual Environments

For running SUSE Manager server in virtual environments, use the following settings for the virtual machine (VM):

  • At least 4 GB of RAM

  • Bridged network

The following virtual environments are supported:

  • KVM

  • VMware

  • Hyper-V

For running SUSE Manager in KVM, VMware, or Hyper-V, use the SUSE Manager ISO image.

In addition to these requirements, we recommend to configure SUSE Manager in the following way:

  • The entire SUSE Manager solution should be protected by a firewall if the SUSE Manager server accesses or is accessed via the Internet. An Internet connection is not required for SUSE Manager servers running in completely disconnected environments. Instead they can use channel content downloaded to Subscription Management Tool (SMT) for synchronizing SUSE Manager with Novell channels. For more information, see Section 4.4, “Setup Without Internet Connection”.

  • No system components should be directly publicly available. No users other than the system administrators should have command line access to these machines.

  • All unnecessary services should be disabled using chkconfig.

  • The httpd service should be enabled.

  • If SUSE Manager serves monitoring-entitled systems and you want to acknowledge incoming alert notifications via email, you must have installed and configured a mail transfer agent such as postfix to properly handle email. This can be done with YaST.

  • Check the log files, if further tuning is needed—such as increasing OutOfMemoryError. For more information, see Section 7.6, “Log Files”.

3.4. Prerequisites

For the basic SUSE Manager setup, you need to have your mirror credentials from the NCC at hand. To look up your credentials and the email address with which you are registered in NCC, proceed as follows.

Procedure 3.1. Looking Up Mirror Credentials in NCC

  1. Start a Web browser and go to http://www.novell.com/center.

  2. Log in to the NCC.

  3. Select Software+Mirror Credentials. A Web page opens showing your credentials (username and password).

  4. Memorize the username and the password listed there.

  5. Select your user name, then View Profile and memorize the email address with which you are registered.

  6. Log out from the NCC.

Chapter 4. Installation

SUSE Manager is an appliance: a management server application combined with an operating system. It can be deployed on industry hardware or in a virtual environment and used with an embedded or a stand-alone database.

If your future SUSE Manager server is connected to the Internet, it will receive any updates directly from the Novell Customer Center. For a disconnected setup scenario, configure SUSE Manager to receive updates from an internal update server (like SMT) instead.

The YaST graphical user interface will guide you through the installation and the setup process. It is started in text mode. Use the →| key to navigate among individual elements. To select a value from a list, use the and arrow keys and press Enter. To activate an option, press the Space key.

For new features and changes, see Appendix F, Changes (↑Reference Guide).

To migrate an existing SUSE Manager server 1.7 to version 2.1, refer to Section 8.17, “Online Migration with YaST Wagon.

4.1. Summary of Steps

The following installation and setup scenarios, including all required steps for basic configuration of SUSE Manager are covered in this guide:

Setup From Scratch—With Internet Connection

For installation and initial setup, you need to execute the following basic steps:

  1. If using a stand-alone database: Preparing your database instance according to the formula provided in Chapter 3, Requirements.

  2. Installing the Appliance

  3. Setting Up SUSE Manager

Setup From Scratch—Without Internet Connection

For installation and initial setup, execute the same basic steps as listed above, but skip the registration of the product at NCC. For details, refer to Section 4.4, “Setup Without Internet Connection”.

Migration from a Satellite Server

Instead of setting up a SUSE Manager server from scratch, you can also migrate from an existing Satellite server. For details, refer to Section 4.6, “Satellite to SUSE Manager Server Migration”.

[Important]Renaming SUSE Manager Server Not Supported

Choose the hostname of the SUSE Manager server carefully. Once installed renaming is not supported.

For more information, see https://wiki.microfocus.com/index.php?title=SUSE_Manager/HostnameChange.

4.2. Installation

The following procedure describes the installation on a physical machine. Make sure the machine you intend to use fulfills the “Server Requirements”. If you want to install the appliance in a virtual machine, additionally check the settings listed in Virtual Environments.

Procedure 4.1. Installing the Appliance

[Warning]Loss of Data

Installing SUSE Manager on a physical machine will completely erase any data on the hard disk that will be used for installation. Before you start the installation process, create a backup of your hard disks.

  1. Boot your future SUSE Manager server from the installation medium. Select Install/Restore SUSE Manager.

  2. If your machine contains more than one hard disk, you are asked which one to use for the installation of SUSE Manager. Navigate with the arrow keys, and use the space key to mark the desired hard disk. You are asked if you want to continue and you are warned that the installation will destroy all data on the disk.

  3. To proceed, answer with Yes. The deployment process takes over. This step may take some time as large amounts of data need to be unpacked and verified. After the verification, YaST firstboot is started.

  4. In the first screen, set the system Language and Keyboard Layout for your future SUSE Manager server. Proceed with Next.

  5. In the next screen, read the licenses and agree to them. Proceed with Next. The installation routine checks some basic system requirements and depending on the results, lets you decide whether to proceed with the installation or cancel.

  6. In the next screen, set the root password for your SUSE Manager server and confirm it.

    Figure 4.1. YaST Firstboot—Password for the System Administrator

    YaST Firstboot—Password for the System Administrator

    Proceed with Next.

  7. In the next screen, configure the network settings. Note the network requirements listed in Section 3.3, “Additional Requirements”. Either choose to Use Following Configuration or Change the network setup according to your wishes.

    Figure 4.2. YaST Firstboot— Network Configuration

    YaST Firstboot— Network Configuration

    Proceed with Next.

  8. In the next screen, configure the Clock and Time Zone to use for your SUSE Manager server. Proceed with Next.

  9. In the next screen, configure the NTP settings according to your wishes. For more information about the options, refer to Help. Note the NTP requirements listed in Section 3.3, “Additional Requirements”. Proceed with Next.

  10. In the next screen, your are asked to register and activate your product at NCC. During registration, the respective online update repositories are automatically configured.

    [Important]NCC Registration and Updates

    Proper registration is mandatory for the system to receive updates and to ensure that any known installation problems are fixed. In case of a disconnected SUSE Manager setup, skip this step by selecting Configure Later.

    Figure 4.3. YaST Firstboot—NCC Configuration

    YaST Firstboot—NCC Configuration

    If you decide to Configure Later, you can call the respective YaST module on the SUSE Manager server with the yast inst_suse_register command any time.

    If you need to check the registration status of your SUSE Manager, use the isRegistered command on the server. If the system is registered, more detailed information is available in the /var/lib/suseRegister/registration-status.xml file.

    To register directly:

    1. Select Configure Now (Recommended).

    2. Confirm that you want to continue. A text-based browser (w3m) appears. Use the →| key or the arrow keys to navigate among individual elements. To enter data into an input field, activate text input mode by pressing the Enter key once, then enter the value and press Enter again to confirm.

    3. After all values are entered according to your wishes, Submit your input and press Shift+Q to close the text-based browser.

  11. On the Installation Completed screen, select Finish to close YaST firstboot. The boot process continues.

  12. Wait for the boot process to finish.

    [Important]SUSE Manager Update Required

    After installation, update your SUSE Manager server to apply the latest patches before starting the setup process. To receive updates, registration at NCC (or a connection to an internal update server like SMT) is required. For details on how to execute the update, refer to Section “Updating Packages on SLE” (Chapter 2, Package Update Tools (SLE and RHEL), ↑Reference Guide).

4.3. Setup

In the previous step you ran YaST firstboot and updated SUSE Manager server. Now use a setup script to configure the basic data for setup and the database connection on several consecutive screens. You run this via YaST. Enter a value in each input field, otherwise the setup may fail.

In the setup screens, you will also be prompted for two passwords.

[Note]Password Criteria

Both passwords must match the following criteria (otherwise the connection to the database or the creation of the certificate might fail):

  • Length: At least 7 characters.

  • Special characters: Must not contain any of the following characters:

    • Spaces

    • Quotation marks (neither " nor ')

    • Exclamation marks (!)

    • Dollar symbols ($)

Procedure 4.2. Setting Up SUSE Manager

  1. Log in to the machine as root with the password you set during the installation in Step 6.

  2. Execute yast2 susemanager_setup to start the setup process.

  3. The first setup screen lets you choose between setting up SUSE Manager from scratch and migrating to SUSE Manager from a Satellite/Spacewalk compatible server. Choose Set up SUSE Manager from scratch. Proceed with Next.

    Figure 4.4. Setup—Type

    Setup—Type

  4. In the next setup screen, enter an email address for the SUSE Manager administrator. It is used for notifications by SUSE Manager and is associated with the SSL certificate to be created in the next step. In the same dialogue, decide whether SUSE Manager should advertise its services via SLP under the name susemanager. Clients can then find the closest SUSE Manager server to connect to. Proceed with Next.

  5. In the next setup screen, enter the details needed for the creation of an SSL certificate. The certificate is used for a number of purposes like connections to a proxy, HTTPS protocol in browsers, and more.

    1. Enter the name of your organization, the organization unit, and the city, state and country that your SUSE Manager server is located in. The Organization name defines the name of the default administrative organization that is automatically created during setup.

    2. Set an SSL (Secure Sockets Layer) password and repeat it in the next field.

      Figure 4.5. Setup—Certificate

      Setup—Certificate

      Proceed with Next.

  6. In the next setup screen, set the details for the setup of the server and the database:

    1. Decide whether to use the embedded (local) or a remote database for SUSE Manager.

      If you select Local Database, YaST automatically sets the Port and Protocol.

      To use an existing, remote database instead, select Remote Database and enter the following details for the connection to the database: the database system (SID) used to identify a particular database instance, the FQDN of the remote database, the external Port to use (usually 1521), and the Protocol to use (usually TCP).

    2. If you use the embedded database, set a user name and a password for the SUSE Manager database user (that is used to connect to the database).

      For a remote database, enter a user name that already exists in the database configuration, and enter the correct password for this user. Otherwise the connection to the database will fail.

    3. Repeat the password in the next field.

      Figure 4.6. Setup—Local Database

      Setup—Local Database

      Proceed with Next.

  7. The last setup screen asks for your SUSE Customer Center (SCC) credentials. Select Connect to SCC and enter your SCC Organization Credentials Username and SCC Organization Credentials Password.

    Figure 4.7. Setup—SCC Settings

    Setup—SCC Settings

    [Note]NCC Settings

    In case you did not deploy all the offered packages, you might be asked to Connect to NCC and enter your NCC Mirror Credentials Username, the NCC Mirror Credentials Password, and your NCC Email Address.

    Because registering new installations at NCC is now discouraged, it is strongly recommended to install the missing packages and restart the setup procedure.

  8. Proceed with Next and confirm with Yes to start the setup.

    [Note]Long Operation

    This step may take some time. Wait until the Setup is completed message appears in the upper part of the YaST screen.

  9. Click Next and read the instructions about the next steps. Close YaST by pressing Finish.

The basic SUSE Manager settings are written to /etc/rhn/rhn.conf. If you have chosen to use a local database, the initial database is created and populated. If you have chosen to use a remote database, the setup script connects to the database.

The setup script also runs the /usr/sbin/mgr-sync command which downloads the subscriptions listed in your Organization Credentials. The respective Software Channel Entitlements will be listed in the SUSE Manager Web interface (select Admin+Subscriptions).

To switch from a trial license to a full license, repeat server registration with the new registration key (or keys, in case more than one applies). Replace EMAIL_ADDRESS and REGISTRATION_CODE with appropriate values in this command:

suse_register -a email=EMAIL_ADDRESS -a regcode-sms=REGISTRATION_CODE

Then refresh SUSE Manager channels to reflect the new entitlements with the mgr-sync refresh command.

[Tip]Running SUSE Manager Behind an HTTP Proxy

If mgr-sync fails because you are running the SUSE Manager server behind an HTTP proxy configured with YaST, check in the Web interface whether the proxy is actually known to SUSE Manager. For more information, see Section “Admin > SUSE Manager Configuration > General” (Chapter 12, Admin, ↑User Guide).

[Note]Accessing SCC scc.suse.com

scc.suse.com uses proxy technologies to provide a fast download service world-wide. Depending on the location, the real hostname and the IP address is different.

To correctly setup company firewalls, to allow access to the repositories, check which proxy you are using with the following command:

nslookup scc.suse.com

4.4. Setup Without Internet Connection

If it is not possible to connect SUSE Manager directly or via a proxy to the Internet, a disconnected setup in combination with Subscription Management Tool (SMT) is the recommended solution. In this scenario, SMT stays in an external network with a connection to Novell Customer Center and synchronizes the software channels and repositories on a removable storage medium. Then you separate the storage medium from SMT, and let the SUSE Manager server mount it locally to read the data.

4.4.1. Basic Configuration and Usage

Procedure 4.3. SMT: Fetching Data from the Internet

  1. Install SMT in the external network with SUSE Customer Center (SCC) or Novell Customer Center (NCC) connection. For details about installing SMT, see http://www.suse.com/documentation/smt11/.

  2. In SMT, mirror all wanted repositories.

  3. Create a database replacement file (e.g., /tmp/dbrepl.xml):

    smt-sync --createdbreplacementfile /tmp/dbrepl.xml
  4. Mount a removable storage medium such as an external hard disk or USB flash drive.

  5. Export the data to the mounted medium:

    smt-sync --todir /media/disk/
    smt-mirror --dbreplfile /tmp/dbrepl.xml --directory /media/disk \
               --fromlocalsmt -L /var/log/smt/smt-mirror-export.log
        
    [Note]Synchronizing Meta Data

    smt-sync also exports the subscription and entitlement data. To keep SUSE Manager up-to-date with the amount of subscriptions and entitlements, you must export and import these data frequently.

  6. Unmount the storage medium to carry it to your SUSE Manager server.

Continue with the configuration on your SUSE Manager server.

Procedure 4.4. SUSE Manager Server: Updating Data from the Storage Medium

  1. Mount the storage medium on your SUSE Manager server (e.g., at /media/disk).

  2. Specify the local path on the SUSE Manager server in /etc/rhn/rhn.conf:

    server.susemanager.fromdir = /media/disk

    This setting is optional if you are still using NCC with mgr-ncc-sync, while it is mandatory for SCC using mgr-sync.

  3. Restart Tomcat:

    rctomcat6 restart
  4. Do a full sync before anything else:

    mgr-sync refresh                       # SCC (fromdir in rhn.conf required!)
    mgr-ncc-sync --from-dir /media/disk    # NCC
  5. mgr-ncc or mgr-ncc-sync can now be used as usual. SCC, for example:

    mgr-sync list channels
        mgr-sync add channel channel-label

    With mgr-ncc-sync using NCC specify --from-dir parameter to point the sync to the mounted disk, if not set in rhn.conf:

    mgr-ncc-sync --from-dir /media/disk -l
    mgr-ncc-sync --from-dir /media/disk -c channel-name
    [Warning]Data Corruption

    The disk must always be available at the same mount point. To avoid data corruption, do not trigger a sync, if the storage medium is not mounted. If you have already added a channel from a local repository path, you will not be able to change its URL to point to a different path afterwards (this includes NCC).

Now the up-to-date data are available on your SUSE Manager and ready for updating the client systems. According to your needs, refresh the data on the storage medium:

Procedure 4.5. Refreshing Data on the Storage Medium

  1. On the SUSE Manager server, unmount the storage medium to carry it to your SMT.

  2. On your SMT, continue with Step 4.

[Warning]Data Corruption

The storage medium must always be available at the same mount point. To avoid data corruption, do not trigger a sync if the storage medium is not mounted.

4.4.2. Additional Settings

To disable the forwarding of registrations to Novell Customer Center via mgr-register, set the following value in /etc/rhn/rhn.conf:

server.susemanager.forward_registration = 0

Without this setting, the log file will be populated with many error messages.

4.5. Basic Configuration

To complete the basic SUSE Manager configuration, you need to execute the following steps:

4.5.1. Login to the Web Interface

After installation of the appliance, you need to log in and create the first administrator account for SUSE Manager. This administrator has access to all resources on SUSE Manager and has the right to create and manage user accounts. Additionally, he is given the role of an organization administrator for the default organization created during SUSE Manager installation and setup.

To access the SUSE Manager Web interface, ask your system administrator for the URL of your SUSE Manager server. It is shown on the console after completion of the installation— see Step 8 from Procedure 4.1, “Installing the Appliance”.

Procedure 4.6. Creating the SUSE Manager Administrator Account

  1. Start a Web browser. Enter the URL of your SUSE Manager server, using the Fully Qualified Domain name as in the following example: susemanager.example.com. The SUSE Manager Web interface appears. On first login, you are prompted to create the SUSE Manager administrator account.

  2. Enter the data for the administrator account and click Create Login.

    You will be logged in as administrator.

  3. On the Overview tab, a message notifies you to finalize your basic system configuration. In the message, there's a link to the Setup Wizard, where you can add and manage products without having to pick individual channels. For more information on the setup wizard, see Section “Admin > Setup Wizard” (Chapter 12, Admin, ↑User Guide).

4.5.2. Setup of SUSE Channels and Products

Channels are collections of repositories which are assigned to client systems. Without a channel, clients cannot be grouped nor can they receive updates.

[Note]SUSE Manager Server Without Internet Connection

This procedure only applies to scenarios where your SUSE Manager server is connected to the Internet. For a disconnected scenario using Subscription Management Tool, refer to Section 4.4, “Setup Without Internet Connection”.

During installation, a first synchronization between Novell Customer Center and SUSE Manager is automatically done by mgr-ncc-sync. At this point, it only downloads the subscriptions to the products you have registered for. When you first log in to the SUSE Manager Web interface, there's a link to the Setup Wizard, where you can add and manage products without having to pick individual channels. For more information on the setup wizard, see Section “Admin > Setup Wizard” (Chapter 12, Admin, ↑User Guide).

[Note]Expanded Support

After adding Expanded Support channels to SUSE Manager, the parent channel (rhel-channel) needs to be filled with the RHEL DVD contents using the following command:

  • Copy the ISO of the RHEL DVD to your SUSE Manager server as /tmp/rdvd.iso.

  • Create a directory:

    mkdir -p /srv/www/htdocs/pub/rhel
  • Mount the ISO:

    mount -o loop /tmp/rdvd.iso /srv/www/htdocs/pub/rhel
  • Start spacewalk-repo-sync:

    spacewalk-repo-sync -c rhel-channel -u https://127.0.0.1/pub/rhel/Server/
    Repo URL: https://127.0.0.1/pub/rhel/Server/
    Packages in repo:              3690
    Packages already synced:          0
    Packages to sync:              3690
    1/3690 : texlive-latex-2007-57.el6_2-0.x86_64
    2/3690 : boost-filesystem-1.41.0-18.el6-0.i686
    3/3690 : policycoreutils-newrole-2.0.83-19.39.el6-0.x86_64
    [...]

After the end of the synchronization, you will be able to manipulate this channel as a regular SUSE Manager channel.

To manually import and synchronize specific channel data after installation, perform to the following procedure:

Procedure 4.7. Importing SUSE Channels from NCC

  1. On a shell, log in to the SUSE Manager server as root.

  2. Execute mgr-ncc-sync -l to view all channels that you are allowed to synchronize with SUSE Manager. The output lists both parent and child channels. The following notation is used to mark each channel:

    • [.]: A channel not imported or synchronized yet.

    • [p]: A previously imported or synchronized channel.

  3. Select the channels you want to import. You can only import child channels if their respective parent channel is already imported.

    [Note]Deleting SUSE Channels

    By now, it is possible to delete SUSE channels with spacewalk-remove-channel.

  4. For each channel that you want to import, run mgr-ncc-sync with the -c option and add the respective channel label. For example:

    mgr-ncc-sync -c suse_sles_11.i586-base

    The respective channel data is imported into the SUSE Manager database and a full synchronization is triggered for that channel.

[Note]Client Tools Channel

Make sure to also import the client tools channel. It provides the packages that need to be installed on a system to make it a SUSE Manager client system.

Any channel that has been imported is also displayed in the SUSE Manager Web interface. To see a list of all channels, go to the Channels tab and select SUSE Channels from the left navigation bar.

For setting up automatic channel synchronization, see Section 8.10, “Automating Synchronization”.

4.5.3. Client Setup

For a list of client systems supported by SUSE Manager, refer to Section 3.1.2, “Supported Client Systems”. Registering clients to SUSE Manager is done with a bootstrap script that deploys all necessary information to the clients. The bootstrap script refers some parameters like activation keys or GNU Privacy Guard (GPG) keys that depend on your particular setup.

Procedure 4.8. Creating Activation Keys

Activation keys define entitlements and which channels and groups the client system is allowed to subscribe to. This information is passed on to all systems registered with a key. Each activation key is bound to the organization for which it has been created.

[Note]Activation Keys for New Organizations

If you need to create activation keys for a new organization, assign system entitlements first. For details, refer to Procedure “Assigning Entitlements to an Organization” (↑Reference Guide) and Section 4.5.4, “Organization Management”. The default organization has all necessary prerequisites by default.

  1. Log in to the SUSE Manager Web interface as administrator.

  2. Switch to the Systems tab and select Activation Keys.

  3. Click the Create Key link at the upper right corner.

  4. Enter a Description to identify the generated activation key.

  5. If you want the key to be generated automatically, leave the Key input field empty. If you want to use a certain string for the key, define the desired string in the Key input field.

    [Warning]Allowed Characters

    Do not use commas within the key string. All other characters are allowed. Commas are used as separators when registering client systems with multiple activation keys with rhnreg_ks.

  6. To restrict the number of client systems that can be registered with the activation key, set a Usage Limit by entering a maximum number of systems.

    For unlimited use, leave this field empty.

  7. With Base Channels, set the primary channel for the key. This can be either the SUSE Manager Default channel or a custom base channel.

    Choosing SUSE Manager Default allows client systems to register with the default SUSE-provided channel that corresponds to their installed version of SUSE Linux Enterprise.

  8. Activate the Add-On Entitlements that you want to give to the client systems that are registered with that key.

  9. If all newly registered client systems of your organization should inherit the properties of this key, activate the Universal Default check box. Only one universal default activation key can be defined per organization.

    [Warning]Changing the Default Activation Key

    Only one universal default activation key can be defined per organization. If some other key is already the default activation key for your organization, this check box will automatically unset the check box for that other key.

  10. Generate the key by clicking Create Activation Key. The prefix of the activation key indicates which organization (by ID number) owns the activation.

  11. To create more activation keys, repeat the steps above.

Figure 4.8. Example Activation Key

Example Activation Key

[Note]Activation Key Update

After modifying or adding any components that are bound to an existing activation key (for example adding channels), make sure to update the key under Systems+Activation Keys+KEY_TO_MODIFY+Update Activation Key.

The next steps are to generate the bootstrap.sh script on the SUSE Manager server, then edit a copy of the script and run the modified script on each client machine that you want to register with SUSE Manager.

Procedure 4.9. Generating the Bootstrap Script

Several options in the bootstrap script can be set via the SUSE Manager Web interface, for example, if remote command execution or remote configuration of clients should be allowed.

  1. On the SUSE Manager Web interface, switch to the Admin tab and select SUSE Manager Configuration+Bootstrap Script.

  2. Check the options listed on the page and activate or deactivate them according to your needs.

    [Note]Remote Command Execution and Configuration

    If you choose to Enable Remote Configuration or Enable Remote Commands, make sure that the rhncfg-actions package is installed on the client systems:

    1. Switch to the Systems tab and select Activation Keys.

    2. From the list of activation keys, click the one you want to modify.

    3. Click the Packages subtab, enter rhncfg-actions into the input field and click Update Key.

    The required package for remote command execution and configuration will automatically be installed on all client systems registered with the respective activation key.

  3. Click the Update button. The necessary bootstrap script is generated and stored on the server's file system in the /srv/www/htdocs/pub/bootstrap directory. It is also available from https://susemanager.example.com/pub/bootstrap/.

  4. Proceed with the following procedure,Procedure 4.10, “Editing the Bootstrap Script and Registering Clients”.

Procedure 4.10. Editing the Bootstrap Script and Registering Clients

Adjust the generated bootstrap script according to your needs. The minimal requirement is to include the activation key. We strongly recommend to also include one or more GPG keys (for example, your organization key, and package signing keys). Then execute the resulting script on each client machine that you want to register with SUSE Manager (either centrally, from the SUSE Manager server, or decentralized, on each client.)

[Note]Access to Installation Media During Registration

The bootstrap process triggers installation of packages on the client machines. Before executing the bootstrap script on a client, make sure the client can access its default installation medium: network access (in case of network repositories) or inserted DVD (in case of physical media).

  1. Log in as root to the SUSE Manager server.

  2. Create a copy of the automatically generated script:

    cd /srv/www/htdocs/pub/bootstrap
    cp bootstrap.sh bootstrap-edited.sh
  3. Edit the copy as follows:

    1. Search for the ACTIVATION_KEYS entry and enter the activation key from Procedure 4.8, “Creating Activation Keys”. Make sure to also include the organization prefix in the key, for example:

      ACTIVATION_KEYS=1-fef154ddcf0d515fc
    2. Search for the ORG_GPG_KEY entry and enter one or more filenames, separated by commas. The GPG key is located under the /srv/www/htdocs/pub/ directory and must be entered without any path name, for example:

      ORG_GPG_KEY=foo-12345678.key,bar-87654321.key

      If you do not need or have a GPG key, search for the variable USING_GPG and set it to 0.

      [Note]Package Signing Key for Red Hat Support

      If you receive maintenance and support for your Red Hat client systems through SUSE, make sure to include the package signing key you received from SUSE. Otherwise RPM packages cannot be installed on the Red Hat client systems. On the client system, run:

      rpm --import http://sumaserver/pub/res.key
      rpm --import http://sumaserver/pub/suse-307E3D54.key
    3. Adjust further parameters, if needed. For details, refer to the comments in bootstrap.sh.

    4. To enable the script for execution, remove the exit 1 entry from the message block. The last lines of the message block should now read:

      echo "the exit below)"
      echo
  4. Save the edited version of the script.

  5. Use one of the following possibilities to execute the edited script on all client machines that you want to register with SUSE Manager:

    • Log in as root on the SUSE Manager server and execute the following commands:

      cd /srv/www/htdocs/pub/bootstrap/
      cat bootstrap-edited.sh | ssh root@client_hostname /bin/bash
    • Log in to each client and execute the following command (all on one line):

      curl -Sks https://server_hostname/pub
      /bootstrap/bootstrap-edited.sh | /bin/bash

    The clients are registered with the SUSE Manager server as specified in the bootstrap script. The SUSE Manager Web interface shows the registered client systems on the Systems tab.

For more information about bootstrapping, refer to Chapter 5, Using Bootstrap (↑Client Configuration Guide).

[Note]Client-side PackageKit Conflicting with Remote SUSE Manager package management

If client-side PackageKit conflicts with remote SUSE Manager package management, consider to uninstall PackageKit.

4.5.4. Organization Management

During installation and setup, SUSE Manager automatically creates a default administrative organization. It gets the organization ID 1 and the organization name that you entered in Step 5.a in Procedure 4.2, “Setting Up SUSE Manager”. For management of larger environments, create multiple organizations: for example, for different departments within your company—or for administering several distinct third-party companies.

For more information and details about creating organizations, refer to Section “Managing Organizations” (Chapter 5, Managing Multiple Organizations, ↑Reference Guide).

4.5.5. Management of System and Software Entitlements

One important task after creating a new organization is to assign entitlements to the new organization. There are two types of entitlements that are important:

System Entitlements

Various categories of system entitlements are available: management, provisioning, monitoring, and virtualization entitlements. Having management entitlements is a base requirement for an organization to function in SUSE Manager.

Software Channel Entitlements

Apart from system entitlements, software channel entitlements are needed for each organization. For example, you must grant client tools channel entitlements to each organization (as this channels contains client software required for extended SUSE Manager functionality, such as AutoYaST or Kickstart or virtualization support).

For more details and instructions on how to transfer the respective entitlements from the default organization to any newly created organization, refer to Section “Managing Organization Entitlements” (Chapter 5, Managing Multiple Organizations, ↑Reference Guide).

4.5.6. User Management

When first logging in to the SUSE Manager Web interface, the account for the first SUSE Manager administrator needs to be created as described in Procedure 4.6, “Creating the SUSE Manager Administrator Account”. The SUSE Manager administrator can then add more SUSE Manager users and grant and edit permissions for each user.

[Note]Users and Organizations

Each user belongs to the organization within which the user account has been created. A user cannot belong to more than one organization. For creating or editing a user account, log in with an organization administrator account for the organization to which the user belongs or should belong.

Procedure 4.11. Creating User Accounts

Only organization administrators or SUSE Manager administrators can create and edit user accounts.

  1. Log in to the SUSE Manager Web interface as administrator. The top level row of the Web interface shows the organization you are currently logged in to.

  2. Switch to the Users tab and click the Create User link at the upper right corner.

  3. Enter the Desired Login and the Desired Password for the new user and confirm the password. Both login and password must consist of at least 5 characters.

  4. Enter the first and last name and the email address of the new user and click Create Login. The Web interface switches to the User List, showing either Active, Deactivated, or All users.

With the creation of a new user account, the user can log in to the SUSE Manager Web interface, but he does not have any administrative permissions yet. Administrative permissions are granted via roles. Each user can have multiple roles. To assign roles to a user and to set other permissions and options proceed as described in Procedure 4.12, “Editing User Accounts”:

Procedure 4.12. Editing User Accounts

  1. Log in to the SUSE Manager Web interface as administrator. The top level row of the Web interface shows the organization you are currently logged in to.

  2. Switch to the Users tab.

  3. From the left navigation bar, select if you want to see Active, Deactivated, or All users.

  4. From the list of users, click the user entry you want to modify. The Web interface shows the User Details for the selected entry. Apart from the user's name and password, the Details subtab also lets you assign roles to the user.

  5. Select the roles that you want to assign to the user. For detailed information about the roles, refer to Section “User List > Active > User Details > Details — [Mgmt]” (Chapter 10, Users — [Mgmt], ↑User Guide). If you activate the Organization Administrator check box, the user will automatically inherit the roles listed below. To assign or remove individual roles, activate or deactivate the respective check boxes.

  6. Click Submit to confirm your changes on the Details subtab.

  7. To set or modify the user's permissions for system groups, systems or channels that exist within the current organization, switch to the respective subtabs and follow the instructions on the Web interface.

  8. To modify preferences, addresses or notification methods for the currently selected user, switch to the respective subtabs and confirm your changes.

Procedure 4.13. Adding or Removing the SUSE Manager Administrator Role

As SUSE Manager administrator, you can assign the permission to become SUSE Manager administrator to other users.

  1. Log in to the Web interface as SUSE Manager administrator.

  2. For an overview of all users that exist within SUSE Manager (across all organizations), switch to the Admin tab and select Users from the left navigation bar.

    A green check mark in the SUSE Manager Administrator column marks users that have the respective permission.

  3. To assign or remove the SUSE Manager administrator role, activate or deactivate the SUSE Manager Administrator check box for the respective user.

For more details about user management, refer to Chapter 10, Users — [Mgmt] (↑User Guide).

4.5.7. Management of SUSE Manager with Database

For maintenance and administration purposes, SUSE Manager with Database is bundled with tools to administer your SUSE Manager database. Refer to the Reference Guide for more information.

4.6. Satellite to SUSE Manager Server Migration

If you have a SUSE Manager server installed in parallel to an existing Satellite server, you can migrate the Satellite server to SUSE Manager. The YaST SUSE Manager setup module first collects the necessary information. Then you execute the migration in several steps with the migration.sh script as described in Procedure 4.14, “Migrating a Red Hat Satellite to SUSE Manager”. Use -h to see the available options:

/usr/lib/susemanager/bin/migration.sh -h
[Note]Supported Migration

SUSE Manager supports migration from Satellite 5.3, 5.4, 5.5, and 5.6 servers. We recommend you get assistance from SUSE consulting, sales or partners.

Procedure 4.14. Migrating a Red Hat Satellite to SUSE Manager

  1. Log in to your existing SUSE Manager server as root.

  2. Make sure your susemgr; server is migrated to SCC; for more information, see Section “Migrating a Configured SUSE Manager to SCC” (Chapter 1, SUSE Customer Center (SCC) and Organization Credentials (Mirroring Credentials), ↑User Guide).

  3. Execute yast2 susemanager_setup to start the YaST module.

  4. Select Migrate a Satellite/Spacewalk compatible server. Proceed with Next.

  5. In the next screen, enter the Hostname of the Satellite Server, its Domain Name, the Satellite Database Username, the Satellite Database Password, and the Satellite Database SID.

    Figure 4.9. Migration—Satellite Information

    Migration—Satellite Information

    Proceed with Next.

  6. In the next screen, enter the IP Address of the SUSE Manager Server, the Database Administrator Password (belonging to the database's root), and the email address of the SUSE Manager administrator.

    Figure 4.10. Migration—SUSE Manager Information

    Migration—SUSE Manager Information

    Proceed with Next.

  7. The next screen asks for details about the database to be migrated.

    1. If you want to migrate data from an embedded database, select Local Database. YaST automatically sets the Port and Protocol.

      To migrate data from an existing remote database instead, select Remote Database and enter the following details for the connection to the database: the database system (SID) used to identify a particular database instance, the FQDN of the remote database, the external Port to use (usually 1521), and the Protocol to use (usually TCP).

    2. Enter or set the name and password of the SUSE Manager database user (that is used to connect to the local or remote database).

    3. Repeat the password in the next field.

      Figure 4.11. Migration—Local Database

      Migration—Local Database

      Proceed with Next.

  8. The next screen asks for your organization credentials from the SCC. Enter your SCC Organization Credentials Username and the SCC Organization Credentials Password).

    Figure 4.12. Migration—SCC Information

    Migration—SCC Information

    Proceed with Next.

  9. Click Next to close YaST and to write the collected information to a file that will be parsed by the migration.sh script during the next steps.

  10. Using the -r option, first copy the RPM packages and configuration files from the Satellite server:

    /usr/lib/susemanager/bin/migration.sh -r
    [Important]Long Operation

    This step may take hours to finish.

  11. Before you start the final migration process, make sure that nothing is changed on your Satellite server from this point on. Log in to your Satellite server and shut down the Web interface:

    rcapache2 stop
  12. On the SUSE Manager server, start the final migration process:

    /usr/lib/susemanager/bin/migration.sh -m

    It synchronizes any remaining changes (that may have occurred during the first run with the -r option) and migrates the database.

  13. After the process has been finished successfully, shut down the Satellite server.

  14. In the DNS server, change the name of the Satellite server to the SUSE Manager server's IP address, so that the new SUSE Manager server gets the hostname of the former Satellite server.

From now on, use your SUSE Manager as a replacement for your Satellite server. Since the hostname is the same, all certificates will still work. Any registered clients are automatically directed to the SUSE Manager server.

Chapter 5. SUSE Manager on IBM z Systems

5.1. Introduction

This best practice guide is intended for z/VM administrators responsible for operating the IBM z Systems Mainframe. The goal of this guide is to lead an z/VM administrator trained on normal z Systems operating protocols through the installation of SUSE Manager 2.1 onto an existing mainframe system. The intent of this article is not to cover the variety of hardware configuration profiles available on z Systems but instead to provide a foundational overview of the procedure and requirements necessary for a successful SUSE Manager server deployment.

5.2. Base System Requirements

The z/VM administrator should acquire and prepare the following resources for a successful SUSE Manager installation. SUSE Manager 2.1 for IBM z Systems is delivered as an appliance image. During setup it will be required to dump this SUSE Manager image onto a disk assigned to your designated z/VM guest. The following sections describe this procedure using the tools located on the SLES 12 installation media. These sections will provide you with the minimum recommended system requirements for SUSE Manager to include: hardware, database, and disk space. The base system for SUSE Manager 2.1 is SLES 11 SP3.

Hardware Requirements

  • See this link : IBM z Systems for supported IBM mainframes.

  • 5GB Memory (3GB RAM + 2GB VDISK swap) for a small number of clients. For a larger production system the ratio of physical memory to vdisk will need to be re-evaluated based on the number of clients being supported.

Media Requirements

The following tables contain the network and device information used for this guide. Your configuration data including network and device numbers will be different.

Network Type

IP Addresses

HOSTIP

192.168.0.10

NETMASK

255.255.255.0

nameserver

192.168.0.1

GATEWAY

192.168.0.254

FTP Server

ftp://example.com

Device Type

Device ID Number

EDEV Device

<EDEV_DEVICE_ID>

5.3. Additional Requirements

There are a few additional resource requirements you will need to prepare before installing the SUSE Manager appliance on your system. This section overviews these requirements.

Guest z/VM Network Information. The guest z/VM should be provided with a static IP address and hostname as these cannot be easily changed after initial setup. The hostname should contain less than 8 characters. For example: SUMA21

FTP Server Accessible from Guest. An ftp server must be reachable from the z/VM guest. This must contain the SUSE Manager installation media and a directory containing the contents of the SUSE Linux Enterprise 12 installation image. The extracted SLES12 directory is necessary for additional tools and will not be installed. For more information on loop mounting See also: https://www.suse.com/documentation/sled-12/book_sle_deployment/data/sec_deployment_remoteinst_instserver.html#sec_deployment_remoteinst_iso

FTP Server Contents

  • Directory containing the extracted SLES12 installation image.

    ftp://example.com/SLE-12-Server-GM/s390x/DVD1
  • SUSE Manager image

    ftp://example.com/SUSE_Manager-2.1.iso

parmfile for Network Configuration. A parmfile is required during the initial installation of SUSE Manager for network configuration. See also: (The parmfile-Automating the System Configuration) https://www.suse.com/documentation/sles-12/book_sle_deployment/data/sec_appdendix_parm.html

Pre-Installation Storage Requirements. There are several storage devices that must be configured and added before installation of SUSE Manager. You are required to calculate sufficient disk storage for SUSE Manager before runningyast2susemanager_setup. The following information will help fulfill these requirements.

[Warning]SUSE Manager Default Volume Groups and Disk Space

The SUSE Manager installation defaults to creating one volume group and a single volume for the root filesystem. The file system of SUSE Manager including the embedded database and patch directories will reside within this root volume. While adjustments are possible once installation has completed it becomes the administrators responsibility to specify and monitor these adjustments.

If your SUSE Manager runs out of disk space, this can have a severe impact on its database and file structure. Preparing storage requirements in accordance with this section will aid in preventing these harmful effects.

SUSE technical services will be unable to provide support for systems suffering from low disk space conditions as this can have an effect on an entire system and therefore becomes unresolvable. A full recovery is only possible with a previous backup or a new SUSE Manager installation.

Required Storage Devices

  • A read/writeable 191 minidisk with at least 100MB of available storage.

  • A 512-byte block EDEV emulated DASD device with at least 10GB of allocated space for SUSE Manager system files.

  • An additional disk is required for database storage. This should be an zFCP or DASD device as these are preferred for use with HYPERPAV. This disk should fulfill the following requirements

    At least 30GB for

    /var/lib/pgSQL

    At least 100GB for

    /var/spacewalk
  • For more information regarding storage requirements see also: https://www.suse.com/support/kb/doc.php?id=7015050

5.4. Storage Preparation

This procedure covers the preparation of the required storage devices in the Additional Requirements section. It is assumed that the SLES 12 installation image contents have been extracted to a directory on your ftp server. For more information on loop mounting See also: https://www.suse.com/documentation/sled-12/book_sle_deployment/data/sec_deployment_remoteinst_instserver.html#sec_deployment_remoteinst_iso >

  1. Logon to z/VM guest.

  2. Give access to the ftp command with:

    ==> vmlink tcpmaint 592
  3. Continue via ftp to your server:

    ==> ftp example.com 
  4. Log on to your ftp server.

  5. On the ftp server change to the extracted SLES 12 installation media directory and execute the following commands:

    ==> get boot/s390x/sles12.exec sles12.exec.a
                        
    ==> get boot/s390x/parmfile sles12.parmfile.a
                        
    ==> bin 
    
    ==> locsite fix 80  
                        
    ==> get boot/s390x/linux sles12.linux.a
                        
    ==> get boot/s390x/initrd sles12.initrd.a
                        
    ==> quit  
                    
  6. Next prepare Initial Program Loader (IPL) with:

    ==> PIPE < SLES12 LINUX A | fblock 80 00 | > SLES12 LINUX A
                        
    ==> PIPE < SLES12 INITRD A | fblock 80 00 | > SLES12 INITRD A
                    
  7. Advance to the next section.

5.5. SUSE Linux Enterprise 12 Required Functionality

This procedure walks through the necessary steps of installing the SLES 12 tools to memory which are required for dumping the SUSE Manager image.

  1. Start the Installation of SLES12.

    ==> SLES12
    1. After initial boot select 1 to start installation.

      Main Menu
      0)<-- Back <--
      1) Start Installation
      2) Settings
      3) Expert
      4) Exit or Reboot
      
      ==> 1
    2. Select 1 to continue with the installation.

      Start Installation
      
      0)<-- Back <--
      1) Installation
      2) Upgrade
      3) Rescue System
      4) Boot Installed System
      5) Network Setup
      
      ==> 1
                              
    3. Select 2 as the source medium.

      Choose the source medium
                          
      0) <-- Back <--
      1) DVD / CD-ROM
      2) Network
      3) Hard Disk
      
      ==> 2
  2. You will now configure your network. Select 1 as the network protocol.

    Choose the network protocol
    
    0) <-- Back <--
    1) FTP
    2) HTTP
    3) HTTPS
    4) NFS
    5) SMB / CIFS (Windows Share)
    6) TFTP
    
    ==> 1
                    
    1. Choose the network device appropriate for your configuration.

    2. Enter the port number if necessary.

    3. Enable OSI Layer 2 support (yes or no).

    4. Enter a mac address if necessary.

    5. Select automatic network configuration via DHCP only if your environment supports it.

  3. Next input your ftp information. Enter your ftp server address.

    Enter the name of the FTP server. (Enter '+++' to abort).
    
    192.168.178.30
                    
    1. Enter the directory which contains the SLES12 installation disk contents.

      Enter the directory on the server. (Enter '+++' to abort).
      
      /SLE-12-Server-GM/s390x/DVD1
                      
    2. Select user and password requirements, (yes or no) for your FTP server.

    3. Select proxy information (yes or no). The installation system will load.

  4. Select SSH as the desired display type. This will allow you to login via SSH.

    Select the display type.
    
    0) <-- Back <--
    1) X11
    2) VNC
    3) SSH
    4) ASCII Console
    
    ==> 3
                    
    1. Enter a temporary SSH password

5.6. SUSE Manager Installation

This section covers the installation of SUSE Manager on the required EDEV device.

Procedure 5.1. Preparing EDEV Disk Device

The following procedure prepares the EDEV device for dumping the SUSE Manager image to and sets it as the default boot disk. Log into your SUSE Linux Enterprise z Systems guest as root and issue the following commands.

  1. Log into the SUSE Manager server guest via SSH.

    tux > ssh root@SUMA21
  2. Bring the disk online with:

    root# > chccwdev -e <EDEV_DEVICE_ID> 
  3. Use the lsdasd command to list devices available on your system and their assigned id's:

    root# > lsdasd
                        
    Bus-ID     Status      Name      Device  Type  BlkSz  Size      Blocks
    ==============================================================================
     0.0.0240   active      dasda     94:0    FBA   512    10240MB   20971520
    
  4. Continue by writing the SUSE Manager image to the EDEV disk device:

    root# > wget -O - ftp://your_ftpserver/susemanager21.raw.xz | xzcat > /dev/dasda

    Run sync to ensure the buffer is empty.

    root# > sync
  5. Wait for the image to finish dumping to disk.

  6. After the image has finished dumping to your EDEV disk, you must execute the following command. This command takes the device offline and sets it as the default boot disk.

    root# > chccwdev -d <EDEV_DEVICE_ID>
  7. On the 3270 console run the following command:

    ==> #cp ipl cms
  8. Create the SUMA21 PARM-S11 A file and add the required kernel parameters for your setup. See also https://www.suse.com/documentation/sles-12/book_sle_deployment/data/sec_appdendix_parm.html

    [Warning]Parameter Contents

    Configuration parameters in the parmfile are case sensitive. Note the following example.

    HOSTIP=10.161.155.98
    NETMASK=255.255.240.0
    nameserver=10.160.2.88
    GATEWAY=10.161.159.254
    InstNetDev=osa Layer2=1
    OSAInterface=qdio OSAMedium=eth portno=0 portname=whatever
    ReadChannel=0.0.0800 WriteChannel=0.0.0801 DataChannel=0.0.0802
    Hostname=s390vsl098.suse.de
     
  9. Initial program load the edev device.

    ==> ipl <EDEV_DEVICE_ID>
  10. Log into the SUSE Manager server guest via SSH as root. The default password is linux.

  11. YaST firstboot will auto start. Accept the license agreement and Follow the steps to complete YaST firstboot procedures

  12. After firstboot procedures have completed continue by updating SUSE Manager using online update and reboot the system.

After rebooting you will need to setup the additional storage required for /var/spacewalk and /var/lib/pgSQL and swap space using the yast partitioner tool. This step is required before running yast2 susemanager_setup

After having configured the storage requirements, executed a yast update and completed a system reboot, run SUSE Manager setup to finalize the SUSE Manager installation on your z Systems mainframe:

root# > yast2 susemanager_setup

Proceed through the SUSE Manager setup until complete. For more information on a typical SUSE Manager setup, see also:

Chapter 6. Importing and Synchronizing with Inter-Server Sync

After installing SUSE Manager, you must provide it with the packages and channels to be served to client systems. This chapter explains how to import that data and keep it up to date.

Two tool chains come installed as part of the spacewalk-backend-tools package: mgr-exporter for exporting and mgr-inter-sync for synchronization, as well as mgr-ncc-sync.

6.1. Exporting with mgr-exporter

The SUSE Manager exporter (mgr-exporter) exports a SUSE Manager content listing in an XML format that the user then can import into another SUSE Manager. Export the content into a directory specified with the -d option, transport the directory to another SUSE Manager, then use the mgr-inter-sync to import the contents. These three steps synchronize two SUSE Managers so they serve identical content.

The mgr-exporter tool can export the following content:

  • Channel Families

  • Architectures

  • Channel metadata

  • Blacklists

  • RPMs

  • RPM metadata

  • Patches

  • Kickstarts

  • Support Information

  • SUSE Product Data

  • SUSE Subscriptions

To perform a SUSE Manager export (mgr-exporter), the following prerequisites must be met:

  • A successful SUSE Manager installation.

  • There must be sufficient disk space in the directory specified with the --dir option. This directory will contain the exported contents.

6.1.1. Performing an Export

Export the current SUSE Manager configuration into a backup or storage solution by executing the following command as root:

mgr-exporter --dir=/var/sw-export --no-errata --channel channel_name

When finished, the export directory may be moved to another SUSE Manager or a storage solution using rsync or scp -r.

The mgr-exporter tool offers several command line options. To use them, insert the option and appropriate value after the mgr-exporter command.

mgr-exporter Options:

-d DIRECTORY, --dir=DIRECTORY

Place the exported information into this directory.

-cCHANNEL_LABEL, --channel=CHANNEL_LABEL

Process data for this specific channel (specified by label) only. NOTE: the channel's label is not the same as the channel's name.

--list-channels

List all available channels and exit.

--list-steps

List all of the steps that mgr-exporter takes while exporting data. These can be used as values for --step.

-p --print-configuration

Print the configuration and exit.

--print-report

Print a report to the terminal when the export is complete.

--no-rpms

Do not retrieve actual RPMs.

--no-packages

Do not export RPM metadata.

--no-errata

Do not process patch (errata) information.

--no-kickstarts

Do not process kickstart data (provisioning only).

--debug-level=LEVEL_NUMBER

Override the amount of messaging sent to log files and generated on the screen set in /etc/rhn/rhn.conf, 0-6 (2 is default).

--start-date=START_DATE

The start date limit that the last modified dates are compared against. Must be in the format YYYYMMDDHH24MISS (for example, 20071225123000).

--end-date=END_DATE

The end date limit that the last modified dates are compared against. Must be typed in the format YYYYMMDDHH24MISS (for example, 20071231235900).

--make-isos=ISOS

Create a channel dump ISO directory called ISOS (for example, --make-isos=cd or dvd).

--email

Email a report of what was exported and what errors may have occurred.

--traceback-mail=EMAIL

Alternative email address for --email.

--db=DB

Include alternate database connect string: username/password@SID.

--hard-links

Export the RPM and kickstart files with hard links to the original files.

You can deselect some contents, such as RPMs, errata, or Kickstarts, which you do not want to export, by using the --no-* command line options. The default is to export everything.

The amount of time it takes mgr-exporter to export data depends on the number and size of the exported channels. The --no-packages, --no-kickstarts, --no-errata, and --no-rpms options reduce the amount of time required for mgr-exporter to run, but also prevents export of potentially useful information. For that reason, only use these options when certain the content is not required and can be excluded. Additionally, you must use the matching options for mgr-inter-sync when importing the data. For example, if you use --no-kickstarts with mgr-exporter you must specify the --no-kickstarts option when importing the data.

When exporting a base channel, you must also export the client tools channel associated with that base channel. This is because the tools channels contain the tools that install packages for autoinstalling a machine through SUSE Manager. For instance, if you export sles11-sp1-pool-x86_64 you must also export the sles11-sp1-suse-manager-tools-x86_64 channel in order to autoinstall machines to SUSE Linux Enterprise Server 11 SP1 x86_64.

6.2. Importing with SUSE Manager Synchronization Tool mgr-inter-sync

Before distributing packages via SUSE Manager, the packages must first be uploaded to the SUSE Manager server. This section describes the process for importing packages and other channel data.

6.2.1. mgr-inter-sync

The mgr-inter-sync tool enables a SUSE Manager server to update its database metadata and RPM packages from a SUSE Manager master server.

The SUSE Manager synchronization tool mgr-inter-sync can be used in a closed environment, such as the one created with a disconnected install, or it may obtain data directly from another SUSE Manager. Closed environment imports can get their data from the XML data generated by mgr-exporter.

mgr-inter-sync works incrementally, or in steps. To obtain patch (errata) information, it first requires information about the packages contained. For the packages to be updated, the tool first identifies the associated channels. For this reason, the SUSE Manager synchronization tool performs the following actions in order:

  1. channel-families — Import/synchronize channel family (architecture) data.

  2. channels — Import/synchronize channel data.

  3. rpms — Import/synchronize RPMs.

  4. packages — Import/synchronize full package data for those RPMs retrieved successfully.

  5. errata — Import/synchronize patch (errata) information.

Users can perform each of these steps individually for testing purposes with the effect of forcing the tool to stop when a step completes. All preceding steps, however, will execute. For example, calling the rpms step automatically ensures the channels and channel-families steps execute first. To initiate an individual step, use the --step option:

mgr-inter-sync --step=rpms

In addition to --step, the SUSE Manager synchronization tool offers many other command line options. To use them, insert the option and the appropriate value after the mgr-inter-sync command when launching import or synchronization.

SUSE Manager Import and Synchronization Options:

-h, --help

Display the list of options and exit.

-d=, --db=DB

Include alternate database connect string: username/password@SID.

-m=, --mount-point=MOUNT_POINT

Import or synchronization from local media mounted to the SUSE Manager. Use in closed environments (such as those created during disconnected installs).

--list-channels

List all available channels and exit.

-cCHANNEL_LABEL, --channel=CHANNEL_LABEL

Process data for this channel only. Multiple channels can be included by repeating the option. By default all channels on the SUSE Manager server will be refreshed. Use --list-channels to see the available channel labels.

-p, --print-configuration

Print the current configuration and exit.

--no-ssl

Not Advisable - Turn off SSL.

--orgid=ORGID

Organization to which the sync imports data (default: the admin account).

--step=STEP

Perform the synchronization process only to the step specified. Typically used in testing. By default, all steps are executed.

--no-rpms

Do not retrieve actual RPMs.

--no-packages

Do not process full package data.

--no-errata

Do not process patch (errata) information.

--no-kickstarts

Do not process Kickstart data (provisioning only).

--force-all-errata

Forcibly process all patch metadata without performing a diff.

--force-all-packages

Forcibly process all package metadata without performing a diff.

--debug-level=LEVEL_NUMBER

Override the amount of messaging sent to log files and generated on the screen set in /etc/rhn/rhn.conf, 0-6 (2 is default).

--email

Email a report of what was imported/synchronized to the designated recipient of traceback email.

--traceback-mail=TRACEBACK_MAIL

Direct synchronization output (from --email) to this mail address.

-s=, --server=SERVER

Include the hostname of an alternative server to connect to for synchronization.

--http-proxy=HTTP_PROXY

Add an alternative HTTP proxy server in the form hostname:port.

--http-proxy-username=PROXY_USERNAME

Include the username for the alternative HTTP proxy server.

--http-proxy-password=PROXY_PASSWORD

Include the password for the alternative HTTP proxy server.

--ca-cert=CA_CERT

Use an alternative SSL CA certificate by including the full path and filename.

--systemid=SYSTEM_ID

For debugging only - Include path to alternative digital system ID.

--batch-size=BATCH_SIZE

For debugging only - Set maximum batch size in percent for XML/database-import processing.

6.2.2. Preparing for Import

To perform the SUSE Manager import, the following prerequisites must be met:

  • The SUSE Manager installation must have been performed successfully.

  • The SUSE Manager exporter (mgr-exporter) data or access to the master SUSE Manager must be available.

Procedure 6.1. Preparing SUSE Manager Exporter Data

To import data previously exported using SUSE Manager exporter, you must first copy that data onto the local system. The following steps prepare the import as described in Section 6.2.3, “Running the Import”.

  1. Log into the machine as root.

  2. Create a target directory for the files, such as:

    mkdir /var/sw-import/
  3. Make the export data available on the local machine in the directory created in the previous step. This can be done by copying the data directly or by mounting the data from another machine using NFS. The following is an example scp command copying the data into the new directory:

    scp -r root@master.suma.example.com:/var/sw-export/* /var/sw-import

Now that the data is available, you can proceed to performing the import.

6.2.3. Running the Import

The susemanager-backend-tools package provides the mgr-inter-sync program for managing all package, channel, and patch (errata) imports and inter-server synchronizations. mgr-inter-sync is a symlink to satellite-sync.

The following process assumes the user has copied all data to /var/sw-import.

The first step in importing channels into the database is listing the channels available for import. This is accomplished with the command:

mgr-inter-sync --list-channels --mount-point /var/sw-import

The next step is to initiate the import of a specific channel. Do this using a channel label presented in the previous list. The command will look like:

mgr-inter-sync -c rhel-i386-6 --mount-point /var/sw-import
[Note]

Importing package data can take up to two hours per channel. You can begin registering systems to channels as soon as they appear in the SUSE Manager Web interface. No packages are necessary for registration, although updates cannot be retrieved from SUSE Manager until the channel is completely populated.

Repeat this step for each channel or include them all within a single command by passing each channel label preceded by an additional -c flag:

mgr-inter-sync -c channel-label-1 -c channel-label-2 --mount-point /var/sw-import

This conducts the following tasks in this order:

  1. Populating the tables describing common features for channels (channel families). This can also be accomplished individually by passing the --step=channel-families option to mgr-inter-sync.

  2. Creating a particular channel in the database and importing the metadata describing the channel. Individually, use the --step=channels option.

  3. Moving the RPM packages from the temporary repository into their final location. Individually, use the --step=rpms option.

  4. Parsing the header metadata for each package in the channel, uploading the package data, and associating it with the channel. Individually, use the --step=packages option.

  5. Identifying patches (errata) associated with the packages and including them in the repository. Individually, use the --step=errata option.

  6. Syncing kickstart data. Individually, use the --step=kickstarts option.

After running the preceding sample command, the population of the channel should be complete. All of the packages should have been moved out of the repository; this can be verified with the following command sequence:

cd /var/sw-import/
ls -alR | grep rpm

If all RPMs have been installed and moved to their permanent locations, then this count will be zero, and the administrator may safely remove the temporary repository (in this case, /var/sw-import/).

6.3. Synchronizing

An update channel is only as useful as the freshness of the information in that channel. Since SUSE Manager is designed to be a standalone environment, any update advisories published by SUSE must be manually imported and synchronized by the administrator of the SUSE Manager.

During synchronization over the network, the SUSE Manager synchronization tool performs the following steps:

  1. Connects over SSL to the SUSE Manager master, authenticates itself as a SUSE Manager, and triggers an export of the channel data.

  2. Examines the export and identifies differences between the SUSE Manager data set and the exported SUSE data set. For a particular channel, the following information is analyzed:

    • Channel metadata

    • Metadata of all packages in that channel

    • Metadata for all patches (errata) that affect that channel

    [Note]

    All analysis is performed on the SUSE Manager slave; the master delivers only an export of its channel information and remains ignorant of any details regarding the SUSE Manager slave.

  3. After the analysis of the export data, any differences are imported into the SUSE Manager database. Note that importing new packages may take variable lengths of time. For a large update, an import can take several hours.

6.4. Inter-Server Synchronization

Inter-Server Synchronization (ISS) allows a SUSE Manager to synchronize content and permissions from another SUSE Manager instance in a peer-to-peer relationship. However, in the following section, a SUSE Manager which receives content will be referred to as a "Slave Server" and a SUSE Manager which acts as the source, where the content is pulled from, is called a "Master Server". When using ISS to synchronize content, the slave instance may have a different setup from that of the Master for non-content entities such as users and organizations. The administrator on the slave instance is free to add, remove, and change entities independently from what occurs on the master instance.

[Note]

Master and slave are legacy terms that carry connotations that are not enforced by the ISS protocol. Keep their restricted meanings, as described above, in mind while reading this section.

With SUSE Manager 2.1, ISS allows the slave SUSE Manager to duplicate the organizational trust hierarchy and the custom channel permissions from the settings configured on the master. This is accomplished by exporting information about specific organizations from the master SUSE Manager to the receiving slave server. The administrator on the slave can then choose to map the master organizations to specific slave organizations. Future synchronization operations use this information to assign custom channel ownership to the slave organization, which is mapped to a specific master organization. It can also map the trust relationships between the exposed master organization to matching slave organizations, creating the equivalent relationships on the slave.

[Note]

An inter-server sync between a SUSE Manager 1.7 server as master and a SUSE Manager 2.1 server as client will succeed but generate an error email to the admin. The error email is harmless and can be deleted.

6.4.1. Configuring the Master SUSE Manager Server

Log in to the Web interface as SUSE Manager administrator. Click on Admin+ISS Configuration+Master Setup. In the top right-hand corner of this page, click Add New Slave and fill in the following information:

  • Slave Fully Qualified Domain Name (FQDN)

  • Allow Slave to Sync? - Choosing this field will allow the slave SUSE Manager to access this master SUSE Manager. Otherwise, contact with this slave will be denied.

  • Sync all orgs to Slave? - Checking this field will synchronize all organizations to the slave SUSE Manager.

[Note]

Choosing the Sync All Orgs to Slave? option on the Master Setup page will override any specifically selected organizations in the local organization table.

Click Create. Optionally, click on any local organization to be exported to the slave SUSE Manager then click Allow Orgs.

[Note]

In SUSE Manager 1.7 the master server used the iss_slaves parameter in the /etc/rhn/rhn.conf file to identify which slaves were allowed to contact the master. SUSE Manager 2.1 uses the information in the Master Setup page to determine this information.

To enable the inter-server synchronization (ISS) feature, edit the /etc/rhn/rhn.conf file and set: disable_iss=0. Save the file and restart the httpd service with service httpd restart.

6.4.2. Configuring Slave Servers

Slave SUSE Managers can be configured during installation with YaST or later via the Web interface.

6.4.2.1. During Installation with YaST

The SUSE Manager YaST module is able to setup a slave server.

In the dialog with the NCC credentials you can select between Connect to NCC and Connect to SUSE Manager for inter-server sync. Choose Connect to SUSE Manager for inter-server sync. The additional field Parent Server Name will be enabled. Enter the name (FQDN) of the master server.

[Note]Inter-server Sync and SUSE Customer Center (SCC)

Organization credentials are only needed for SCC connections, for slave server organization credentials are no longer needed.

The slave server forwards registrations to SUSE Customer Center by using the parent server as a proxy. A SUSE Manager server acting as a parent accepts register and de-register operations and forwards them directly to its parent. The top SUSE Manager server will send these requests to SCC and return the answers back the chain to the originally requesting slave server.

There are checks implemented that need to be passed before a SUSE Manager server forwards such a request. It checks, if the requesting slave is in the allowed list and it verifies the user and password. These must match the first configured credential.

6.4.2.2. Web Interface

Slave servers are the machines that will receive content synchronized from the master server. To securely transfer content to the slave servers, the ORG-SSL certificate from the master server is needed. The certificate can be downloaded over HTTP from the /pub/ directory of any SUSE Manager. The file is called RHN-ORG-TRUSTED-SSL-CERT , but can be renamed and placed anywhere in the local file system of the slave, such as the /usr/share/rhn/ directory.

Log in to the slave SUSE Manager as administrator and click on Admin+ISS Configuration+Slave Setup. In the top right-hand corner, click Add New Master and fill in the following information:

  • Master Fully Qualified Domain Name (FQDN)

  • Default Master?

  • Filename of this Master's CA Certificate: use the full path to the CA Certificate.

Click Add New Master.

6.4.3. Performing Inter-Server Synchronization

Once the master and slave servers are configured, a synchronization can be performed by running the mgr-inter-sync command:

mgr-inter-sync -c YOUR-CHANNEL

6.4.4. Mapping SUSE Manager Master Server Organizations to Slave Organizations

The master SUSE Manager should now show up in the slave's setup page under Admin+ISS Configuration+Slave Setup. If it does not, check the steps above.

A mapping between organizational names on the master SUSE Manager allows for channel access permissions to be set on the master server and propagated when content is synced to a slave SUSE Manager. Not all organization and channel details need to be mapped for all slaves. SUSE Manager administrators can select which permissions and organizations can be synchronized by allowing or omitting mappings.

To complete the mapping, log in to the Slave SUSE Manager as administrator. Click Admin+ISS Configuration+Slave Setup and select a Master SUSE Manager by clicking its name. Use the drop-down box to map the exported master organization name to a matching local organization in the slave SUSE Manager, then click Update Mapping.

On the command line, issue the sync command on each of the custom channels to obtain the correct trust structure and channel permissions:

mgr-inter-sync -c YOUR-CHANNEL

6.4.5. Automated Configuration

The spacewalk-sync-setup tool allows users to specify a Master and Slave SUSE Manager instance and uses configuration files to set up the information described in both the master and slave setup. It can create a set of default configuration files if requested. Essentially, it automates the previous setup and mapped configuration for master-slave relationships.

For automated configuration to succeed, the following prerequisites must be met:

  • The spacewalk-util package needs to be installed on the system that will issue the spacewalk-sync-setup command.

  • Organizations with custom permissions must exist on the master SUSE Manager.

  • Existing organizations within the Slave SUSE Manager must be present.

6.4.5.1. Configuring the Master SUSE Manager Server

Enable the inter-server synchronization (ISS) feature in the /etc/rhn/rhn.conf file:

disable_iss=0

Save the configuration file and restart the httpd service:

service httpd restart

6.4.5.2. Configuring Slave Servers

Slave servers are the machines that will have their content synchronized by the master server. To securely transfer content to the slave servers, the ORG-SSL certificate from the master server is needed. The certificate can be downloaded over HTTP from the /pub/ directory of any SUSE Manager. The file is called RHN-ORG-TRUSTED-SSL-CERT, but can be renamed and placed anywhere in the local file system of the slave, such as the /usr/share/rhn/ directory.

Log in to the slave SUSE Manager as administrator and click Admin+ISS Configuration+Slave Setup. On the top right-hand corner, click Add New Master and fill in the following information:

  • Master Fully Qualified Domain Name (FQDN)

  • Default Master?

  • Filename of this Master's CA Certificate: use the full path to the CA Certificate.

Click Add New Master.

6.4.5.3. Mapping Master Organizations to Slave Organizations

Log in to a system. It does not matter if it is a master or slave SUSE Manager, or a different system altogether as long as the system can access the public XMLRPC API of the master and slave SUSE Managers.

Run spacewalk-sync-setup on a command line interface:

spacewalk-sync-setup --ms=[Master_FQDN] \
  --ml=[Master_Sat_Admin_login] \
  --mp=[Master_Sat_Admin_password] \
  --ss=[Slave FQDN] --sl=[Slave_Sat_Admin_login]--sp=[Slave_Sat_Admin_password> \
  --create-templates --apply

Where:

  • --ms=MASTER, --master-server=MASTER is the FQDN of the Master to connect to,

  • --ml=MASTER_LOGIN, --master-login=MASTER_LOGIN is the administrator login for the master SUSE Manager,

  • --mp=MASTER_PASSWORD, --master-password=MASTER_PASSWORD is the password for the SUSE Manager administrator login on the master SUSE Manager,

  • --ss=SLAVE, --slave-server=SLAVE is the FQDN of the slave SUSE Manager to connect to,

  • --sl=SLAVE_LOGIN, --slave-login=SLAVE_LOGIN is the SUSE Manager administrator login for the slave server,

  • --sp=SLAVE_PASSWORD, --slave-password=SLAVE_PASSWORD is the password for the SUSE Manager administrator login on the slave server,

  • --ct, --create-templates is the option that creates both a master and a slave setup file for the master/slave pair,

  • --apply tells SUSE Manager to make the changes specified by the setup files to the specified SUSE Manager instances.

[Note]

For more setup options, run spacewalk-sync-setup--help.

The output from this command will be as follows:

INFO: Connecting to [admin@master-fqdn]
INFO: Connecting to [admin@slave-fqdn]
INFO: Generating master-setup file $HOME/.spacewalk-sync-setup/master.txt
INFO: Generating slave-setup file $HOME/.spacewalk-sync-setup/slave.txt
INFO: Applying master-setup $HOME/.spacewalk-sync-setup/master.txt
INFO: Applying slave-setup $HOME/.spacewalk-sync-setup/slave.txt

On the command line, issue the mgr-inter-sync command on each of the custom channels to obtain the correct trust structure and channel permissions:

mgr-inter-sync -c channel-name

6.5. Organizational Synchronizing

Inter-Server Synchronization can also be used to import content to any specific organization. This can be done locally or by remote synchronization. This function is useful for a disconnected SUSE Manager with multiple organizations, where content is retrieved through channel dumps or by exporting from connected SUSE Managers and then importing into the disconnected SUSE Manager. Organizational synchronization can be used to export custom channels from connected SUSE Managers. It can also be used to effectively move content between multiple organizations.

Organizational synchronization follows a clear set of rules in order to maintain the integrity of the source organization:

  • If the source content belongs to a base organization, it will default to this base organization even if a destination organization is specified. This ensures that specified content is always in that privileged base organization.

  • If an organization is specified at the command line, content will be imported from that organization.

  • If no organization is specified, it will default to organization 1.

The following are three example scenarios where organizational IDs (orgid) are used to synchronize between SUSE Managers:

  1. Import content from a SUSE Manager master to a slave:

    mgr-inter-sync --iss-parent=master.suma.example.com -c channel-name --orgid=2
    
  2. Import content from an exported dump of a specific organization:

    mgr-inter-sync -m /dump -c channel-name --orgid=2
    
  3. Import content from SUSE Manager Hosted (assuming the system is registered and activated). If the source organization is not specified, the base channel is chosen):

    mgr-inter-sync -c channel-name
    

6.6. Inter-Server Synchronization Use Cases

Inter-server synchronization (ISS) provides several different ways for synchronizing content, depending on the needs of the organization. The following are some of the more typical uses showcasing how to make the most of this feature depending on your environment.

Figure 6.1. Staging SUSE Manager Server

Staging SUSE Manager Server

In this example, the stage SUSE Manager is used to prepare the content and perform quality assurance (QA) to make sure that packages are fit for production use. After content is approved to go to production, the production SUSE Manager server can synchronize the content from the stage SUSE Manager.

Figure 6.2. Master Server and Slave Peers that include their own custom content

Master Server and Slave Peers that include their own custom content

In this example, the SUSE Manager master is the development channel, from which content is distributed to all SUSE Manager production slaves. Some SUSE Manager slaves have extra content not present in SUSE Manager master channels. These packages are preserved, but all changes from the SUSE Manager master are synchronized to SUSE Manager slaves.

Figure 6.3. SUSE Manager Slaves are Maintained Exactly as the SUSE Manager Master

SUSE Manager Slaves are Maintained Exactly as the SUSE Manager Master

In this example, the SUSE Manager master (e.g., a software or hardware vendor) provides data to its customer. These changes are regularly synchronized to the SUSE Manager slaves.

Chapter 7. Troubleshooting

This chapter provides tips for determining the cause of and resolving the most common errors associated with SUSE Manager. For services and support options available for SUSE Manager, refer to http://www.suse.com/products/suse-manager/.

In addition, you may package configuration information and logs from SUSE Manager and send them to SUSE for further diagnosis. Refer to Section 7.14, “SUSE Manager Debugging” for instructions.

7.1. Installation and Configuration

If you have difficulties deploying the appliance, proceed according to the following list.

7.1.1. Installation and Basic Setup

CPU: 64-Bit and Virtualization Support

For running SUSE Manager in a virtual environment you need a machine with a recent Linux Kernel on either an Intel processor with VT (Virtualization technology) extensions, or an AMD processor with SVM extensions (also called AMD-V).

Test if your CPU supports hardware virtualization (and which set of extensions is used) by executing the following command:

egrep '(vmx|svm)' /proc/cpuinfo

If this command returns no output, your processor either does not support hardware virtualization, or this feature has been disabled in the BIOS. Enable virtualization support in the BIOS and try again. If in doubt, consult your mainboard manual.

If the output contains a svm string, your machine uses the AMD V extensions, if the output contains a vmx string, the Intel VT extensions are used.

Database Connection Error

If the setup script reports a database connection error, check if bridged networking is configured correctly on your virtual machine. As repairing the current installation will fail after a database connection error, fix the network settings in your virtual machine and start from scratch with a new SUSE Manager image.

Hostname and DNS

Make sure to fulfill the hostnames and DNS requirements listed in Section 3.3, “Additional Requirements”.

7.1.2. Basic Configuration

Client Is Not Registered

This is often caused by a missing channel assignment. For example, if you want to register a client running a 64-bit version of SUSE Linux Enterprise Server 11 SP1, you need to add one or more channels for that version of SUSE Linux Enterprise Server 11 SP1. Check if the required steps mentioned at the beginning of Section 4.5, “Basic Configuration” have been executed correctly.

Web Interface: Unavailable Functions

If any functions or entries in the Web interface are not available, check if you have the permission to access these functions. SUSE Manager uses a role-based model for granting permissions. For more information, refer to Section 4.5.6, “User Management” and Section 4.5.4, “Organization Management”.

Ports Required for Communication

The ports required for communication between SUSE Manager server, SUSE Manager Proxy server, client systems, and Novell Customer Center are listed in Section 3.3, “Additional Requirements”.

7.1.3. Mail and Notification Issues

If you as the administrator are not receiving mail notification from SUSE Manager, check and modify the following parameters in /etc/rhn/rhn.conf:

traceback_mail

Defines the mail address of the system administrator of the SUSE Manager appliance. This mail address will only be used for error/warning/info messages from spacewalk services (java process, taskomatic tasks, etc.).

web.default_mail_from

This is the mail address used by SUSE Manager to send notification mails about error messages and daily status reports. You can set this address that is valid for your organization.

7.2. General Problems

When having general problems, examine the log files related to the component exhibiting failures. For more information, see Section 7.6, “Log Files”.

A common issue is full disk space. For example, if you observe the halted writing in the log files, or logging suddenly stopped during writing, you likely have not enough disk space left. Run the following command to check the percentage in the Use% column:

df -h

In addition to log files, you can obtain valuable information by retrieving the status of your SUSE Manager and its various components. This can be done with the command:

/usr/sbin/spacewalk-service status

Furthermore, you can obtain the status of components such as the Apache Web server and the Task Engine individually. For example, to view the status of the Apache Web server, run the command:

rcapache2 status

If the Apache Web server is not running, entries in your /etc/hosts file may be incorrect. For more information, see Section 7.11, “Host Not Found/Could Not Determine FQDN”.

To obtain the status of the Task Engine, run the command:

rctaskomatic status

If a SUSE Manager's embedded database is in use, run one of the following commands to obtain its status:

service oracle status

Or:

service postgresql status

To determine the version of your database schema, run the command:

rhn-schema-version

To list the character set types of your SUSE Manager's database, run the command:

rhn-charsets

If importing or synchronizing a channel fails and you cannot recover it in any other way, run this command to delete the cache:

rm -rf temporary-directory

Note that Section 6.2.2, “Preparing for Import” suggested that this temporary directory be /var/sw-import/.

Then restart the import or synchronization.

If zypper up or the push capability of SUSE Manager ceases to function, old log files might be the reason for this. Stop the jabberd daemon before removing these files. To do so, issue the following commands as root:

rcjabberd stop
cd /var/lib/jabberd
rm -f db*
rcjabberd start

7.3. Configuring Reliable SUSE Manager Setup

It is important to get the server/client SUSE Manager communication parameters right. For example, by default Apache is configured with 150 clients maximum (MaxClients). If you ping 1000 clients at the same time to perform a kernel update, this must fail. Even if you increase MaxClients to 1000, you will run out of database connections, which is configured to 400 by default.

osa-dispatcher is able to set a threshold on notifying clients to run rhn_check. In /etc/rhn/rhn.conf set

osa-dispatcher.notify_threshold = 80

to allow 80 clients in parallel to execute rhn_check. Note, clients doing "SSH PUSH" do not count. This is configured separately with the taskomatic.ssh_push_workers parameter.

Both settings together should not exceed Apache's MaxClients option. Better allow some unused connections for the webUI and internal communication. It is recommended to keep 20 or 30 free. As a rough calculation use:

notify_threshold + ssh_push_workers + 30 = Apache's MaxClients

7.4. Gathering Information with spacewalk-report

There are instances where administrators may need a concise, formatted summary of their SUSE Manager resources, whether it is to take inventory of their entitlements, subscribed systems, or users and organizations. Rather than gathering such information manually from the SUSE Manager Web interface, SUSE Manager includes the spacewalk-report command to fetch and display vital SUSE Manager information at once.

[Note]

To use spacewalk-report, you must have the spacewalk-reports package installed.

spacewalk-report allows administrators to organize and display reports about content, systems, and user resources across SUSE Manager. Using spacewalk-report, you can receive reports on:

  • System Inventory: lists all of the systems registered to SUSE Manager.

  • Entitlements: lists all organizations on SUSE Manager, sorted by system or channel entitlements.

  • Patches: lists all the patches relevant to the registered systems and sorts patches by severity, as well as the systems that apply to a particular patch.

  • Users: lists all the users registered to SUSE Manager and any systems associated with a particular user.

spacewalk-report allows administrators to organize and display reports about content, systems, and user resources across SUSE Manager. To get the report in CSV format, run the following at the command line of your SUSE Manager server.

spacewalk-report report_name

The following reports are available:

Table 7.1. spacewalk-report Reports

Report

Invoked as

Description

Channel Packages

channel-packages

List of packages in a channel.

Channel Report

channels

Detailed report of a given channel.

Cloned Channel Report

cloned-channels

Detailed report of cloned channels.

Custom Info

custom-info

System custom information.

Entitlements

entitlements

Lists all organizations on SUSE Manager with their system or channel entitlements.

Patches in Channels

errata-channels

Lists of patches in channels.

Patches Details

errata-list

Lists all patches that affect systems registered to SUSE Manager.

All patches

errata-list-all

Complete list of all patches.

Patches for Systems

errata-systems

Lists applicable patches and any registered systems that are affected.

Host Guests

host-guests

List of host-guests mapping.

Inactive Systems

inactive-systems

List of inactive systems.

System Inventory

inventory

List of systems registered to the server, together with hardware and software information.

Kickstart Trees

kickstartable-trees

List of kickstartable trees.

All Upgradable Versions

packages-updates-all

List of all newer package versions that can be upgraded.

Newest Upgradable Version

packages-updates-newest

List of only newest package versions that can be upgraded.

Result of SCAP

scap-scan

Result of OpenSCAP sccdf eval.

Result of SCAP

scap-scan-results

Result of OpenSCAP sccdf eval, in a different format.

System Data

splice-export

System data needed for splice integration.

System Groups

system-groups

List of system groups.

Activation Keys for System Groups

system-groups-keys

List of activation keys for system groups.

Systems in System Groups

system-groups-systems

List of systems in system groups.

System Groups Users

system-groups-users

Report of system groups users.

Installed Packages

system-packages-installed

List of packages installed on systems.

Users in the System

users

Lists all users registered to SUSE Manager.

Systems administered

users-systems

List of systems that individual users can administer.


For more information about an individual report, run spacewalk-report with the option --info or --list-fields-info and the report name. The description and list of possible fields in the report will be shown.

For further information, the spacewalk-report(8) man page as well as the --help parameter of the spacewalk-report program can be used to get additional information about the program invocations and their options.

7.5. Changing the CSV Separator

The character used as the delimiter in downloadable CSV files throughout SUSE Manager can now be configured per user via the Web interface. When navigating to Your Preferences on the Overview page, the following options are available:

  • Comma (",", default)

  • Semicolon (";", compatible with Microsoft® Excel®)

Whenever downloading a CSV file from anywhere within SUSE Manager, the configured separator character will be used as the delimiter.

7.6. Log Files

If having trouble with SUSE Manager, examine the associated log files. Log files provide important information about the activity that has taken place on the device or within the application that can be used to monitor performance and ensure proper configuration. See Table 7.2, “Log Files” for the location of all the relevant log files.

[Note]

There may be numbered log files (such as mgr-ncc-sync.log.1, mgr-ncc-sync.log.2, etc.) within the /var/log/rhn directory. When the current mgr-ncc-sync.log file fills up to a size as specified by the logrotate(8) daemon, rotated log files are created with a .NUMBER extension. The file with the highest number contains the oldest rotated logs.

Not all files are fully covered by the logrotate daemon. For example, with every run reposync log files get a new name containing date and time information—see its logrotate configuration in /etc/logrotate.d/spacewalk-backend-tools. If you want to keep only recent files in the /var/log/rhn/reposync directory and thus preventing the log process from filling up the storage space, specify after how many days untouched log files should be removed. Set the MAX_DAYS system configuration variable in /etc/sysconfig/rhn/reposync accordingly; then, the daily cron maintenance procedure removes outdated files.

Table 7.2. Log Files

Component/Task

Log File Location

Apache Web server

/var/log/apache2/

SUSE Manager

/var/log/rhn/

SUSE Manager Installation

/var/log/susemanager_setup.log

Database installation (Embedded Database)

/var/log/rhn/install_db.log

Database population

/var/log/rhn/populate_db.log

SUSE Manager Synchronization Tool

/var/log/rhn/mgr-ncc-sync.log

Monitoring infrastructure

/var/log/nocpulse/

Monitoring notifications

/var/log/notification/

Task Engine (taskomatic)

/var/log/rhn/rhn_taskomatic_daemon.log

zypper

/var/log/zypper.log

XML-RPC transactions

/var/log/rhn/rhn_server_xmlrpc.log


If "OutOfMemoryError" strings appear in the rhn_taskomatic_daemon.log file, the parameter taskomatic.maxmemory in the /etc/rhn/rhn.conf file should be set to at least 4096 when dealing with a large number of packages and repositories. This parameter overrides the setting in /etc/rhn/default/rhn_taskomatic_daemon.conf.

7.7. Naming Custom Channels

To avoid conflicts, do not use names for custom channels that vendors such as SUSE or Red Hat use or might use.

7.8. Accessing Local Channels without Proxy

Even if a proxy is configured for accessing external Internet resources and a SUSE Manager Proxy for NCC connections and channel synchronization, it is possible to access local custom channels directly without a proxy.

To access local channels directly, set the server.satellite.no_proxy variable in /etc/rhn/rhn.conf accordingly.

server.satellite.no_proxy is a comma-separated list of hosts that do not use the proxy. Each name is matched as either a domain that contains the hostname or the hostname itself. For example, example.com would match example.com, example.com:80, and www.example.com, but not www.notexample.com. Additionally, it matches all subdomains; example.com would also disable the proxy for my.sub.example.com. This would be a valid setting:

server.satellite.no_proxy = example.com, host.example.org

The only allowed wildcard is a single * character, which matches all hosts, and thus effectively disables the proxy.

7.9. Using a Proxy with Certificates to Access the Internet

Some proxies need certificates to access the internet. Often these certificates are created on the own CA of the company. This will cause problems when SUSE Manager wants to access suse.com or novell.com servers. In these cases, you could see the following error messages:

In /var/log/tomcat6/catalina.out:
2015-04-28 09:31:00,886 [TP-Processor6] INFO  org.directwebremoting.log.accessLog - Method execution failed:
com.redhat.rhn.frontend.action.satellite.SCCConfigAction$SCCConfigException:
com.suse.scc.client.SCCClientException:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

or

2015-01-08 17:07:20,240 [TP-Processor6] ERROR com.redhat.rhn.manager.setup.SCCMirrorCredentialsManager - Error getting subscriptions for 6419084, 
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed:
wget will show the following:
wget http://updates.suse.com
 --2015-04-28 11:12:23--  http://updates.suse.com/
 Resolving xxxxxxxxxxxxxx... yyy.yyy.yyy.yyy
 Connecting to XXXXXXXXXXXXXX|yyy.yyy.yyy.yyy|:8080... connected.
 Proxy request sent, awaiting response... 301 Moved Permanently
 Location: https://updates.suse.com// [following]
 --2015-04-28 11:12:23--  https://updates.suse.com//
 Connecting to XXXXXXXXXXXXXX|yyy.yyy.yyy.yyy|:8080... connected.
 ERROR: cannot verify updates.suse.com's certificate, issued by `/C=XX/O=XXXXXX/CN=XXXXXXXXXXXXXXX':
 Unable to locally verify the issuer's authority.
 To connect to updates.suse.com insecurely, use `--no-check-certificate'.
 Unable to establish SSL connection.

To solve this issue use the following procedure:

  1. Copy the root and—if needed—intermediate CA certificates to /tmp

  2. Copy the files to /etc/ssl/certs and change suffix to .pem:

    cp /tmp/filename_of_root_CA.cer /etc/ssl/certs/filename_of_root_CA.pem
    cp /tmp/filename_of_intermediate_CA.cer /etc/ssl/certs/filename_of_intermediate_CA.pem
  3. Update the information for the SSL certificates:

    c_rehash /etc/ssl/certs
  4. Import the certificates into the java keystore:

    keytool -import -alias root -file /tmp/filename_of_root_CA.cer \
      -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
    keytool -import -alias intermediate \
      -file /var/tmp/filename_of_intermediate_CA.cer \
      -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
  5. The last step is to restart spacewalk:

    spacewalk-service restart

To check whether everything works, run the following commands:

mgr-sync refresh
wget http://updates.suse.com

It works correctly, if the wget call will cause a 404 http error.

7.10. Discovering Hosts and Subnets in the Network

The SUSE Manager Network Scanner is a tool for scanning the network and finding hosts and subnets in it. It consists of the SUSE Manager Network Discovery daemon and its client. By default, the daemon runs on the network port 5000.

7.10.1. Installation and Configuration

Procedure 7.1. Installation and Configuration Instructions

  1. On the SUSE Manager server install the SUSE Manager Network Discovery daemon and its client with the following commands as root:

    zypper install sm-network-discovery
    zypper install sm-network-discovery-client
  2. For configuring the network device on which the daemon is listening, see the sm-netscan.conf manpage. Additionally you can change other defaults according to your needs.

    Background information: The Network Scanner does not need the SNMP protocol or any other special hints about the network that you want to scan. However, it must be allowed to send ICMP packets to ping its targets. Thus it can work on any network layout without a specific configuration or assumptions that some credentials need to be sent somewhere in order to get the needed starting info.

7.10.2. Usage

The Network Scanner consists of two pars: the daemon that discovers the network and the client that returns the already captured data.

To start the daemon:

rcsm-network-discovery start

To view the scanned network, use the SUSE Manager Network Discovery client sm-netscan that comes with the --help option to display an online help.

[Note]Scanning the Network

Scanning your network may take some time. So after starting the daemon, wait some minutes before running the client tool.

To see the found subnets:

sm-netscan --subnets

To see the hosts in particular subnets:

sm-netscan --hosts=SUBNET_IP

To retrieve the data in XML, pass the format parameter to the client tool.

For more details, see the sm-netscan manpage and the online documentation at http://wiki.novell.com/index.php/SM_NetworkScanner.

7.11. Host Not Found/Could Not Determine FQDN

SUSE Manager configuration files rely exclusively on fully qualified domain names (FQDN). Therefore, it is imperative that key applications are able to resolve the name of the SUSE Manager server into an IP address. Red Hat Update Agent and the Apache Web server are particularly prone to this problem with the applications issuing errors of "Host not found" and the Web server stating "Could not determine the server's fully qualified domain name" upon failing to start.

This problem typically originates from the /etc/hosts file. The /etc/nsswitch.conf file defines the methods and the order by which domain names are resolved. Usually, the /etc/hosts file is checked first, followed by Network Information Service (NIS) if used, followed by DNS. One of the files has to succeed for the Apache Web server to start and the client applications to work.

  1. To resolve this problem, check the /etc/hosts file. It looks like this:

    127.0.0.1 this_machine.example.com this_machine localhost.localdomain \
    localhost
    
  2. In a text editor, remove the offending machine information so that the line in /etc/hosts looks like this:

    127.0.0.1 localhost.localdomain.com localhost
  3. Save the file and try to run the client applications or the Apache Web server again. If they still fail, explicitly identify SUSE Manager server's IP address in the file, such as:

    127.0.0.1 localhost.localdomain.com localhost
    192.0.2.34 this_machine.example.com this_machine
    
  4. Replace the value 192.0.2.34 with the actual IP address of the SUSE Manager server. Keep in mind, if the IP address is specified here, the file will need to be updated in case the machine receives a new address.

7.12. RPC Connection Timeout Settings

RPC connection timeouts are configurable on the SUSE Manager server, SUSE Manager Proxy server, and the clients. For example, if package downloads take longer then expected, you can increase timeout values. spacewalk-proxy restart should be run after the setting is added or modified.

Set the following variables to a value in seconds specifying how long an RPC connection may take at maximum:

Server — /etc/rhn/rhn.conf:
server.timeout = number
Proxy Server — /etc/rhn/rhn.conf:
proxy.timeout = number
SUSE Linux Enterprise Server Clients (using zypp-plugin-spacewalk) — /etc/zypp/zypp.conf:
## Valid values:  [0,3600]
## Default value: 180
download.transfer_timeout = 180

This is the maximum time in seconds that a transfer operation is allowed to take. This is useful for preventing batch jobs from hanging for hours due to slow networks or links going down. If limiting operations to less than a few minutes, you risk aborting perfectly normal operations.

Red Hat Enterprise Linux Clients (using yum-rhn-plugin) — /etc/yum.conf:
timeout = number

7.13. Connection Errors

A common connection problem, indicated by SSL_CONNECT errors, is the result of a SUSE Manager server being installed on a machine with an inaccurate time. In that case, SSL certificates are created with inaccurate times during the installation process. If the time on SUSE Manager is then corrected, the certificate start date and time may be set in the future, making it invalid.

To troubleshoot this, check the date and time on the clients and on SUSE Manager with date.

The results should be nearly identical for all machines and within the "notBefore" and "notAfter" validity windows of the certificates. Check the client certificate dates and times with the following command:

openssl x509 -dates -noout -in /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

Check the SUSE Manager server certificate dates and times with the following command:

openssl x509 -dates -noout -in /etc/apache2/ssl.crt/server.crt

By default, the server certificate has a one-year life while client certificates are valid for 10 years. If the certificates are incorrect, you can either wait for the valid start time, or create new certificates, with an accurate time setting.

Do the following to troubleshoot general connection errors:

  • Attempt to connect to SUSE Manager's database in the command line using the correct connection string as found in /etc/rhn/rhn.conf:

    sqlplus username/password@sid
    
  • Ensure SUSE Manager is using Network Time Protocol (NTP) and is set to the appropriate time zone. This also applies to all client systems and the separate database machine in SUSE Manager (if used with a stand-alone database).

  • Confirm the correct package:

    rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm 
    

    is installed on SUSE Manager, and the corresponding rhn-org-trusted-ssl-cert-*.noarch.rpm or raw CA SSL public (client) certificate is installed on all client systems.

  • Verify the client systems are configured to use the appropriate certificate.

  • If also using one or more SUSE Manager Proxy Servers, ensure each Proxy's SSL certificates are prepared correctly. The Proxy should have both its own server SSL key-pair and CA SSL public (client) certificate installed, since it serves in both capacities. Refer to Chapter 3, SSL Infrastructure (↑Client Configuration Guide) for specific instructions.

  • Make sure client systems are not using firewalls of their own, blocking required ports.

7.14. SUSE Manager Debugging

If you have followed the steps above but still need more help, contact the SUSE support and provide SUSE Manager's configuration parameters, log files, and database information.

SUSE Manager provides a command line tool explicitly for this purpose. Log in to your SUSE Manager server as root and execute the following command:

spacewalk-debug

It collects several pieces of information and stores them in a tarball:

Collecting and packaging relevant diagnostic information.
Warning: this may take some time...
   * copying configuration information
   * copying logs
   * copying cobbler files
   * copying monitoring moc logs
   * copying monitoring scout logs
   * copying ssl-build
   * copying /etc/sudoers
   * copying apache, oracle, tomcat, nocpulse entries from /etc/passwd
   * copying apache, oracle, tomcat, nocpulse entries from /etc/group
   * querying RPM database (versioning of Spacewalk, etc.)
   * querying schema version, database charactersets and database
   * get diskspace available
   * get database statistics
   * get schema statistics
   * copying audit.log
   * timestamping
   * creating tarball (may take some time): /tmp/spacewalk-debug.tar.bz2
   * removing temporary debug tree
   
Debug dump created, stored in /tmp/spacewalk-debug.tar.bz2

7.15. Resetting the SUSE Manager Password

If you want to change the password for your Web instance of SUSE Manager or you have forgotten it, use the satpasswd command. Log in to your SUSE Manager with SSH and run it like this:

satpasswd admin

Type your password twice or cancel with Ctrl+C.

7.16. Registering a Client Manually with suse_register

If you have problems registering your clients or you want to do it manually, use suse_register. Before you register a client, collect the following information:

  • Your email address.

  • Your product key, starting with regcode-. In the case of SUSE Manager, it is regcode-sms.

  • Your registration key. Get it from your Novell Customer Center.

To register your client, run suse_register as follows:

suse_register -n \
  -L register.log \
  -a email=YOUR_EMAIL \
  -a regcode-sms=REG_KEY

The -n option (--no-optional) collects so called optional data which can be necessary for your registration. However, this depends on your contract.

The -L option tells suse_register to write a log message to register.log. You need this if you have to provide detailed information about the registration process to our support.

Find other options and their explanations with --help.

7.17. Multiple Mirror Credentials

The Spacewalk backend (spacewalk-backend) and the SUSE Manager Tools (susemanager-tools) can handle multiple mirror credentials. Either log in to the Web interface and go to Admin+Setup Wizard, where you can add credentials on the Mirror Credentials page. As long as you are connected to NCC, you can also add additional credentials in /etc/rhn/rhn.conf as described in Section 7.17.1, “Configuring Multiple Mirror Credentials with NCC”. For more information on the setup wizard, refer to Section “Admin > Setup Wizard” (Chapter 12, Admin, ↑User Guide).

7.17.1. Configuring Multiple Mirror Credentials with NCC

Procedure 7.2. Configuring Multiple Mirror Credentials with NCC

  1. Add all your additional credentials to /etc/rhn/rhn.conf as follows:

    # This is already configured. Do not change it.
    server.susemanager.mirrcred_user = 111111
    server.susemanager.mirrcred_pass = secret
    
    # Add an additional set of credentials like this:
    server.susemanager.mirrcred_user_1 = 222222
    server.susemanager.mirrcred_pass_1 = secret
    
    # Add as many additional credentials as needed by incrementing
    # the suffix (mirrcred_user_#); e.g.:
    server.susemanager.mirrcred_user_2 = 333333
    server.susemanager.mirrcred_pass_2 = secret

    The numbers appended to the mirrcred_ keys must be numbered consecutively. If you skip one number, mgr-ncc-sync will stop looking for more credentials.

  2. After editing /etc/rhn/rhn.conf, run:

    mgr-ncc-sync --refresh

Now, if you type mgr-ncc-sync -l, you will see a channel listing with the combination of all mirror credentials.

If you have configured client registration forwarding, all clients are registered against the company identified by mirrcred_user.

[Warning]Changing Credentials

To change credentials, edit /etc/rhn/rhn.conf as needed. If the previous credentials were used by one of your installed channels and the new credentials no longer provide access to that channel, connecting to NCC for that channel will no longer work.

If mgr-ncc-sync detects that a channel is not accessible anymore with the so far used credentials, it will test all credentials listed in rhn.conf and the first one that works will be stored in the database for further use.

Only remove a channel (with spacewalk-remove-channel) if you are sure that you do not need it anymore!

7.17.2. Credentials after Migrating to SCC

With latest patches applied, and after migrating to SCC, edit mirror credentials within the Web interface. It is also possible to edit mirror credentials via the XMLRPC API.

[Note]

The SCC migration will remove any mirror credential data from rhn.conf.

Multiple mirror credentials can be configured with the Web Interface. Click Admin+Setup Wizard+Mirror Credentials. In this tab you are able to add, remove, or edit mirror credentials. Make sure that the primary mirror credentials (yellow asterisk) include the subscription for SUSE Manager itself.

For more information, see https://wiki.microfocus.com/index.php/SUSE_Manager/MultipleMirrorCredentials.

7.18. Invoking spacecmd

spacecmd does not seem to accept commands or options, instead only prints a usage message.

When running spacecmd non-interactively, take care to escape arguments passed to the spacecmd functions. This involves inserting -- before the function name to prevent the arguments to the function to be treated as global arguments to spacecmd. Also escape any quotes that are passed to the function so that the shell does not interpret them.

Example:

spacecmd -s server1 -- softwarechannel_create -n \'My Channel\' \
  -l channel1 -a x86_64

Chapter 8. Maintenance

SUSE Manager provides a unique environment not available to any other Novell Customer Center customers. In return, SUSE Manager also requires maintenance. This chapter discusses the procedures that should be followed to carry out administrative functions outside of standard use and to apply patches to SUSE Manager.

8.1. Managing SUSE Manager with spacewalk-service

Since SUSE Manager consists of a multitude of individual components, SUSE provides the command-line tool spacewalk-service which allows you to stop, start, or retrieve status information from the various services in the appropriate order. This tool accepts all typical commands:

/usr/sbin/spacewalk-service start
/usr/sbin/spacewalk-service stop
/usr/sbin/spacewalk-service restart
/usr/sbin/spacewalk-service reload
/usr/sbin/spacewalk-service enable
/usr/sbin/spacewalk-service disable
/usr/sbin/spacewalk-service status

Use spacewalk-service to shut down and bring up the entire SUSE Manager and retrieve status messages from all of its services at once.

In case you need to do a database schema upgrade, do the following:

Procedure 8.1. Performing a Database Schema Upgrade

  1. Stop SUSE Manager with spacewalk-service stop.

  2. Run spacewalk-schema-upgrade.

  3. Restart SUSE Manager with spacewalk-service start.

8.2. Updating SUSE Manager

If any critical updates are provided for SUSE Manager, they will be released in the form of a patch for SUSE Manager. Find a generic description on how to apply patches in Procedure 8.2, “Updating a SUSE Manager Server”. Depending on the patch, specific instructions may apply.

For SUSE Manager systems connected to the Internet, the best method for applying these patches is using zypper or YaST Online Update. Proper registration at Novell Customer Center is mandatory for the system to receive updates. For details, refer to Section 4.2, “Installation”. SUSE Manager systems not connected to the Internet (disconnected setup) will receive updates from an internal update server instead.

Procedure 8.2. Updating a SUSE Manager Server

As soon as SUSE Manager is up and running and the database is configured, updating the server requires more than executing zypper patch (or running YaST Online Update alternatively).

The steps below describe the generic procedure, but depending on the patch, specific instructions may apply.

[Warning]Read Patch Advisory

Before applying any updates, make sure to read the patch advisory. Additional configuration steps may be required to apply certain updates, especially if they involve the database. In such cases, the advisory will contain specific and detailed information about necessary steps.

  1. Log in as root user to the SUSE Manager server.

  2. Stop the Spacewalk service:

    spacewalk-service stop
  3. Apply the patch using either zypper patch or YaST Online Update. For more information about zypper or YaST Online Update, refer to Section “Updating Packages on SLE” (Chapter 2, Package Update Tools (SLE and RHEL), ↑Reference Guide).

  4. If the patch includes an update of the database schema, proceed as follows (otherwise skip the substeps below):

    1. If the SUSE Manager database is running on the same machine as your SUSE Manager server, start the database instance with

      /etc/init.d/postgresql start
    2. Upgrade the database schema with

      spacewalk-schema-upgrade
  5. Start the Spacewalk service:

    spacewalk-service start
[Important]Restart of Services and Applications

Services affected by a package update are not automatically restarted after the update—you need to restart them manually to avoid failures.

Also execute zypper ps to check for any applications that still use old code. Restart those applications.

8.3. Creating Up-to-date Bootstrap Repositories

To get up-to-date packages for the bootstrap repositories, use the mgr-create-bootstrap-repo command, but first you need to uninstall all packages in the old bootstrap repositories:

# zypper remove spacewalk-client-repository spacewalk-client-repository-sle-10-4 
spacewalk-client-repository-sle-10-3 spacewalk-client-repository-sle-11-1
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following packages are going to be REMOVED:
  spacewalk-client-repository spacewalk-client-repository-sle-10-3 
  spacewalk-client-repository-sle-10-4 spacewalk-client-repository-sle-11-1 

4 packages to remove.
After the operation, 62.5 MiB will be freed.
Continue? [y/n/?] (y): y
Removing spacewalk-client-repository-0.1-0.7.1 [done]
Removing spacewalk-client-repository-sle-10-4-0.1-0.7.2 [done]
Removing spacewalk-client-repository-sle-11-1-0.1-0.7.1 [done]
Removing spacewalk-client-repository-sle-10-3-0.1-0.7.2 [done] 
    

Now call the mgr-create-bootstrap-repo command for SLE-11-SP3-x86_64:

# mgr-create-bootstrap-repo
SLE-11-SP1-x86_64
SLE-11-SP2-x86_64
SLE-11-SP3-x86_64
Enter product label: SLE-11-SP3-x86_64
copy 'spacewalk-client-tools-1.7.14.18-0.5.2.noarch'
copy 'zypper-1.6.308-0.9.16.x86_64'
copy 'libzypp-9.37.1-0.7.1.x86_64'
copy 'satsolver-tools-0.17.7-0.6.2.1.x86_64'
copy 'zypp-plugin-python-0.3-2.5.38.x86_64'
copy 'zypp-plugin-spacewalk-0.9.5-0.5.5.x86_64'
copy 'spacewalk-check-1.7.14.18-0.5.2.noarch'
copy 'spacewalk-client-setup-1.7.14.18-0.5.2.noarch'
copy 'newt-0.52.10-1.35.113.x86_64'
copy 'libnewt0_52-0.52.10-1.35.113.x86_64'
copy 'python-newt-0.52.10-1.35.113.x86_64'
copy 'python-dmidecode-3.10.11-0.10.1.x86_64'
copy 'python-ethtool-0.7-0.15.15.1.x86_64'
copy 'python-openssl-0.7.0-1.17.2.x86_64'
copy 'rhnlib-2.5.51.5-0.5.1.x86_64'
copy 'spacewalksd-4.9.15.3-0.5.3.x86_64'
copy 'suseRegisterInfo-1.7.4-0.5.1.x86_64'
copy 'libcurl4-7.19.7-1.28.1.x86_64'
copy 'slang-2.1.1-58.18.x86_64'
Spawning worker 0 with 26 pkgs
Workers Finished
Gathering worker results

Saving Primary metadata
Saving file lists metadata
Saving other metadata
    

Repeat the command for SLE-11-SP1-x86_64 and SLE-11-SP2-x86_64 if necessary. Now you have the latest package versions for your bootstrap repositories. For bootstrapping SUSE Linux Enterprise Server_11_SP_1 clients, you need to create a compatibility symlink:

cd /srv/www/htdocs/pub/repositories
ln -s sle/11/1/bootstrap susemanager-client-setup
    

For more information, refer to the mgr-create-bootstrap-repo manpage.

8.4. Backing Up SUSE Manager

Backing up SUSE Manager can be done in several ways. Regardless of the method chosen, the associated database also needs to be backed up. For the stand-alone database, consult your organization's database administrator. For the embedded database, refer to Section 8.6, “Configuring SUSE Manager's Database (smdba)” for a complete description of this process and the options available.

SUSE recommends backing up the following files and directories:

  • /rhnsat/ — embedded database only (never to be backed up while the database is running)

  • /etc/sysconfig/rhn/

  • /etc/rhn/

  • /etc/sudoers

  • /etc/tnsnames.ora

  • /srv/www/htdocs/pub/

  • /var/spacewalk/packages/1 — custom RPMs

  • /root/.gnupg/

  • /root/ssl-build/

  • /etc/dhcp.conf

  • /tftpboot/

  • /var/lib/cobbler/

  • /var/lib/rhn/kickstarts/

  • /srv/www/cobbler

  • /var/lib/nocpulse/

SUSE recommends to back up the entire /var/spacewalk/ tree. In case of failure, this will save lengthy download time. Since /var/spacewalk/ (specifically /var/spacewalk/packages/NULL/) is primarily a duplicate of the package repository, it can be regenerated with mgr-ncc-sync. In the case of disconnected SUSE Managers, /var/spacewalk/must be backed up.

Backing up only these files and directories requires reinstalling the SUSE Manager RPMs and re-registering SUSE Manager (see Section 4.2, “Installation”). In addition, packages need to be resynchronized using the mgr-ncc-sync tool. Finally, you have to reinstall the /root/ssl-build/rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm.

Another method is to back up all the files and directories mentioned above but reinstall the SUSE Manager without re-registering it. During the installation, cancel or skip the registration and SSL certificate generation sections.

The most comprehensive method is to back up the entire machine. This saves time in downloading and reinstalling but requires additional disk space and backup time.

[Note]

Regardless of the backup method used, when restoring SUSE Manager from a backup, you must run the following command to schedule the recreation of search indexes the next time the rhn-search service is started:

rcrhn-search cleanindex

8.5. Migrating Patches from Old to New Naming

Version 1.2 of SUSE Manager had the following syntax of patch names:

PREFIX-PATCHID-VERSIONPATCH-CHANNELARCH

This has been changed to a simpler notation:

PATCHID-VERSIONPATCH

After the migration has been successfully performed, the patches are listed twice after the first channel synchronization. The old names are still preserved and the new patch names are added. If you wish, the old names can be deleted (see below).

To migrate the old names to the new names, use the mgr-clean-old-patchnames command. It requires either a specific channel (using the -c option) or apply the conversation to all channels (using the -a option). However, the -a option removes all patches from cloned channels.

If a patch is not referenced from a channel, it will be deleted. In case you have a patch which is deleted from a specific channel, the patch will be preserved if it is also used in another channel.

For example, to execute the conversation process only for a SLES11 SP1 channel on a 64 bit architecture, use the following command:

mgr-clean-old-patchnames -c sles11-sp1-pool-x86_64

8.6. Configuring SUSE Manager's Database (smdba)

SUSE Manager provides the smdba command for managing the installed database. It is the successor of db-control, which is not supported anymore.

The smdba command works on local databases only, not remote. This utility allows you to do several administrative tasks like backing up and restoring the database, everything from creating, verifying, and restoring backups to obtain the database status and restart the database if necessary. The smdba command supports PostgreSQL 9.1 and Oracle 10g or 11g databases with different feature sets.

[Important]Running smdba Relies on sudo Enablement

Running smdba relies on proper sudo configuration. sudo allows you to invoke smdba as a regular user and thus, you are save from executing unwanted system changes.

For example, to allow the user admin (the administrative UID) to execute smdba commands, and thus manipulating the underlying database with the operative UID, make sure something as follows is configured in /etc/sudoers:

admin   ALL = (oracle, postgres) /usr/bin/smdba

With this settings admin will be allowed to access the target database account (oracle or postgres).

For configuring sudo and its security implications, see the sudo and sudoers manpages and the extensive comments in the /etc/sudoers configuration file.

Find basic information about smdba in the smdba manpage.

[Note]Restart Spacewalk Services When Connection is Lost

If you have stopped or restarted the database, it can happen that the Spacewalk services lost their connections. In such a case, run the following command:

spacewalk-service restart

8.6.1. Control Options

Depending on the database installed, smdba provides several subcommands; for the list of control options, see Section “Control Options” (Appendix A, Command Line Configuration Management Tools, ↑Reference Guide).

[Note]smdba help Output Depends on the Database Used

For a list of available commands on your particular appliance, call smdba help. Each subcommand can contain different options depending on the database used. To display the help message for a specific subcommand, call smdba COMMAND help.

8.6.2. Starting and Stopping the Database

There are three commands to start, stop, or get the status of the database. These commands work with both databases. Use the following commands:

smdba db-status
Checking database core...       online
smdba db-stop
Stopping the SUSE Manager database...
Stopping listener:     done
Stopping core:         done
smdba db-status
Checking database core...       offline
smdba db-start
Starting listener:     done
Starting core...       done

8.6.3. Backing up the Database

Backing up the database depends on the installed database:

Oracle

The smdba command can be used to create a hot backup, which is a backup that is performed without shutting down the database.

PostgreSQL

The smdba command performs a continuous archiving backup.

To perform a hot backup for Oracle, do the following:

  1. For Oracle, there is no need to specify the space where to store the backups. By default, backups will be stored at /opt/apps/oracle/flash_recovery_area/uppercase SID/.

  2. Perform the hot backup:

    smdba backup-hot
    Backing up the database:       finished
    Data files archived:
         /opt/apps/oracle/oradata/susemanager/system01.dbf
         /opt/apps/oracle/oradata/susemanager/sysaux01.dbf
         /opt/apps/oracle/oradata/susemanager/data_01.dbf
         /opt/apps/oracle/oradata/susemanager/undotbs01.dbf
         /opt/apps/oracle/oradata/susemanager/users01.dbf
    
    Archive logs:
    	/opt/apps/oracle/oradata/susemanager/archive1_32_784110049.dbf
    ...

    After the command returns without any errors, it contains some files in the flash_recovery_area directory.

  3. Get a list of available backups:

    smdba backup-list
    Getting available backups:    finished
    Backups available:
    
    Name:   /opt/apps/oracle/flash_recovery_area/SUSEMANAGER/backupset/2013_06_13/o1_mf_nnndf_TAG20130613T165358_8vmq8722_.bkp
    Files:
            Type: Full      Date: 13-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/system01.dbf
            Type: Full      Date: 13-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/sysaux01.dbf
            Type: Full      Date: 13-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/undotbs01.dbf
            Type: Full      Date: 13-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/users01.dbf
            Type: Full      Date: 13-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/data_01.dbf
    
    Name:   /opt/apps/oracle/flash_recovery_area/SUSEMANAGER/backupset/2013_06_14/o1_mf_nnndf_TAG20130614T040008_8vny9932_.bkp
    Files:
            Type: Full      Date: 14-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/system01.dbf
            Type: Full      Date: 14-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/sysaux01.dbf
            Type: Full      Date: 14-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/undotbs01.dbf
            Type: Full      Date: 14-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/users01.dbf
            Type: Full      Date: 14-JUN-13         File:
    /opt/apps/oracle/oradata/susemanager/data_01.dbf
    

To perform a hot backup for PostgreSQL, do the following:

  1. Allocate permanent space on your remote storage, which you use for general backups (NAS, iSCSI target, etc.). For example:

    /mnt/backup/

    This directory should always be the same and never change. It will be a permanent target to store new backups and restore from it during a disaster recovery.

  2. Create a directory with the correct permissions in your target directory, e.g., with using sudo:

    sudo -u postgres mkdir /mnt/backup/database

    Alternatively, as root:

    install -d -o postgres /mnt/backup/database

    Or:

    mkdir /mnt/backup/database
    chown postgres:postgres /mnt/backup/database
  3. If you want to create a backup for the first time, run:

    smdba backup-hot --enable=on --backup-dir=/mnt/backup

    This command performs a restart of the PostgreSQL database. If you want to renew the basic backup, use the same command.

  4. Perform the hot backup:

    smdba backup-hot --backup-dir=/mnt/backup/database
    ...

    If the command exits without any errors, find the backup files in your /mnt/backup/database directory.

8.6.4. Restoring Backups

Use smdba backup-restore to restore to an earlier point in time. To restore the backup, proceed as follows:

  1. Shutdown the database:

    smbda db-stop
  2. Start the restore process:

    smdba backup-restore start
  3. Restart the database:

    smbda db-start

The above steps can be combined with:

smdba backup-restore force

In this case it will select the most recent backup and purge the rest. Every time you create a new backup, it also purges the previous backups.

[Note]Restoring the Most Recent Backup Only

Because smdba makes automatic hot backups, it allows to restore only the most recent backup, and merging the current archive logs on top of it.

8.6.5. Archive Log Settings

In SUSE Manager with an embedded database, archive logging is enabled by default. This feature allows the database management tool smdba to perform hot backups.

With archive log enabled, far more data is stored on the hard disk:

  • Using an Oracle database, the archive log data will be removed as soon as you create a database backup with smdba.

  • With PostgreSQL only a limited number of archive logs is kept. With the default configuration, approx. 64 files with a size of 16 MiB are kept.

Creating a user and syncing the channels:

  • sles11-sp1-pool-x86_64

  • sles11-sp1-updates-x86_64

  • sles11-sp2-core-x86_64

  • sles11-sp2-updates-x86_64

will produce on PostgreSQL ~1 GB and on oracle ~7 GB additional data. So it is important to think about a backup strategy and create a backup in a regular way.

The archive logs are stored in:

  • /var/lib/pgsql/data/pg_xlog/ (PostgreSQL)

  • /opt/apps/oracle/oradata/sid/ (Oracle)

8.6.6. Getting Overview of Occupied Database Space

Database experts can use the subcommand space-overview to get a report about occupied table spaces, for example:

smdba space-overview

Tablespace | Size (Mb) | Used (Mb) | Avail (Mb) | Use %
-----------+-----------+-----------+------------+------
DATA_TBS   | 193.5     | 306.5     | 500        | 61   
SYSAUX     | 38.75     | 631.25    | 670        | 94   
SYSTEM     | .75       | 719.25    | 720        | 99   
TEMP       | 76        | 0         | 76         | 0    
UNDOTBS1   | 161.625   | 13.375    | 175        | 7    
USERS      | 3.6875    | 1.3125    | 5          | 26

This command is available for both databases, Oracle and PostgreSQL. For a more detailed report, use the space-tables subcommand. It lists the table and its size, for example:

smdba space-tables

Table                          | Size     
-------------------------------+----------
PXTSESSIONS                    | 64.00K   
QRTZ_BLOB_TRIGGERS             | 64.00K   
QRTZ_CALENDARS                 | 64.00K   
QRTZ_CRON_TRIGGERS             | 64.00K   
QRTZ_FIRED_TRIGGERS            | 64.00K
...

8.6.7. Migrating Embedded Database from Oracle to PostgreSQL

SUSE Manager provides a tool for easy migration of an embedded Oracle database to PostgreSQL. Simply run: /usr/lib/susemanager/bin/susemanager-oracle2postgres.sh.

This script performs all necessary steps. For transparency reasons only, we line out what happens during the migration:

  1. install_latest spacewalk-utils: installs all tools necessary for migration.

  2. install_latest susemanager-schema: since schema versions must be identical, the new PostgreSQL database uses the existing schema.

  3. spacewalk-service stop: halts the spacewalk service while the database keeps running.

  4. upgrade_schema: upgrades to the new schema.

  5. dump_schema: writes all schema data to the hard disk as plain text, which should take a while.

  6. switch_oracle2postgres: stops the Oracle database, removes it from the boot process (insserv -r oracle), then deletes all spacewalk Oracle packages and installs the necessary PostgreSQL packages.

  7. setup_postgres: initializes and configures the database.

  8. configure_suma: loads the database with the schema and rewrites the configuration files for PostgreSQL.

  9. import_schema: loads all data into the database, which will take a while.

  10. spacewalk-service start: starts all services.

8.7. Cloning SUSE Manager with the Embedded Database

You may limit outages caused by hardware or other failures by entirely cloning the SUSE Manager server with its embedded database. The secondary server can take over if the primary one fails. To clone the SUSE Manager server, perform these tasks:

  1. Clone the SUSE Manager server at the operating system level (OS level) with your backup tools (e.g., rsync) to a separate machine. As needed, repeat this step daily.

  2. Back up the primary SUSE Manager database daily using the commands described in Section 8.6, “Configuring SUSE Manager's Database (smdba)”. If this is done, only changes made the day of the failure will be lost.

  3. Establish a mechanism to copy the backup to the secondary SUSE Manager and keep the repositories synchronized using a file transfer program such as rsync. If you are using a SAN, copying is not necessary.

  4. Use the smdba backup-restore subcommand to import the database backup data.

  5. If the primary SUSE Manager fails, change DNS to point to the new machine or configure your load-balancer accordingly.

[Warning]

The database backup is valid only on an identical system clone, which can be restored only from the backup as described above. The database backup will not work on a system that you reinstalled from NCC!

8.8. Establishing Redundant SUSE Manager Servers with Stand-Alone Database

If you are using a standalone database, you can limit outages on SUSE Manager servers by preparing redundant SUSE Manager servers. Unlike cloning a SUSE Manager with Database, redundant SUSE Manager servers with stand-alone database may be run as active, as well as standby. This is entirely up to your network topology and is independent of the steps listed here.

To establish this redundancy, first install the primary SUSE Manager server as usual, except that the value specified in the Common Name field for the SSL certificate must represent your high-availability configuration rather than the hostname of the individual server. Proceed with the following steps:

  1. Consult your database administrator on how to prepare the stand-alone database for failover, using Oracle's recommendations for building a fault-tolerant database.

  2. Install SUSE Manager with stand-alone database on a separate machine, skipping the database configuration, database schema, SSL certificate, and bootstrap script generation steps. Include the same Novell Customer Center account and database connection information provided during the initial SUSE Manager installation and register the new SUSE Manager server.

    If your original SSL certificate does not take your high-availability solution into account, create a new one with a more appropriate Common Name value now. In this case, also generate a new bootstrap script that captures this new value.

  3. After installation, copy the following files from the primary to the secondary SUSE Manager:

    • /etc/rhn/rhn.conf

    • /etc/tnsnames.ora

  4. Copy and install the server-side SSL certificate RPMs from the primary SUSE Manager to the secondary. Refer to Chapter 3, SSL Infrastructure (↑Client Configuration Guide) in the Client Configuration Guide for information on SSL infrastructure. Remember, the Common Name value must represent the combined SUSE Manager solution, not a single machine's hostname.

    If you generated a new SSL certificate during the SUSE Manager installation that included a new Common Name value, copy the SSL certificate RPMs from the secondary to the primary server and redistribute the client-side certificate. If you also created another bootstrap script, you may use this to install the certificate on client systems.

  5. If you did not create a new bootstrap script, copy the contents of /srv/www/htdocs/pub/bootstrap/ from the primary server to the secondary. If you did generate a new one, copy that directory's contents to the primary SUSE Manager.

  6. Turn off the Task Engine on the secondary server with the following command:

    rctaskomatic stop

    You may use custom scripting or other means to establish automatic start-up or failover of the Task Engine on the secondary server. It will need to be started upon failover.

  7. Share channel package data (by default located in /var/spacewalk) between the SUSE Manager servers via a networked storage device. This eliminates data replication and ensures a consistent store of data for each SUSE Manager.

  8. Share cache data (by default located in /var/cache/rhn) between the SUSE Manager servers via a networked storage device. This eliminates data replication and ensures a consistent store of cached data for each server.

  9. Make the various SUSE Manager servers available on your network via Common Name and a method suiting your infrastructure. Options include round-robin DNS, a network load-balancer, and a reverse-proxy setup.

8.9. Conducting SUSE Manager-Specific Tasks

8.9.1. Deleting Users

If you need to delete users, click Users in the top navigation bar of the SUSE Manager Web site. In the resulting user list, click on the name of the user to be removed. On the user's Details page, click the delete user link at the top-right corner.

Figure 8.1. User Deletion

User Deletion

Confirm removal of this user by clicking the Delete User button.

Figure 8.2. User Delete Confirmation

User Delete Confirmation

[Note]

The delete operation fails if the user has the organization administrator role. Remove the organization administrator role from the user's profile before deleting the user from SUSE Manager.

Any organization administrator can remove the organization administrator role, provided there is at least one other organization administrator for the organization. To do so, click on the Users tab and then click the Details subtab.

8.9.2. Configuring SUSE Manager Search

SUSE Manager search results can be customized via the /etc/rhn/search.rhn-search.conf file. The following list defines the search configuration and their default values in parentheses.

search.rpc_handlers

Semi-colon separated list of classes to act as handlers for XMLRPC calls.

(filename>index:com.redhat.satellite.search.rpc.handlers.IndexHandler,
db:com.redhat.satellite.search.rpc.handlers.DatabaseHandler,
admin:com.redhat.satellite.search.rpc.handlers.AdminHandler)
search.max_hits_returned

Maximum number of results returned for the query (500).

search.connection.driver_class

JDBC driver class to conduct database searches (oracle.jdbc.driver.OracleDriver).

search.score_threshold

Minimum score a result needs to be returned as query result (.10).

search.system_score_threshold

Minimum score a system search result needs to be returned as a query result (.01).

search.errata_score_threshold

Minimum score a patch search result needs to be returned as a query result (.20).

search.errata.advisory_score_threshold

Minimum score a patch advisory result needs to be returned as a query result (.30).

search.min_ngram

Minimum length of n-gram characters. Note that any change to this value requires clean-index to be run, and doc-indexes need to be modified and rebuilt (1).

search.max_ngram

Maximum length of n-gram characters (5). Note that any change to this value requires clean-index to be run, and doc-indexes need to be modified and rebuilt.

search.doc.limit_results

Type true to limit the number of results both on search.score_threshold and restrict max hits to be below search.max_hits_returned; type false to return all documentation search matches (false).

search.schedule.interval

Input the time in milliseconds to control the interval with which the SearchServer polls the database for changes; the default is 5 minutes (300000).

search.log.explain.results

Used during development and debugging. If set to true, this will log additional information showing what influences the score of each result (false).

8.10. Automating Synchronization

Manually synchronizing the SUSE Manager repository with Novell Customer Center can be a time-consuming task. United States business hours tend to be the peak usage time for Novell Customer Center so synchronization at that time may be slow. Therefore, SUSE encourages you to automate synchronization at other times to better balance load and ensure fast synchronization. Continental United States business hours are roughly 8:00 AM to 9:00 PM EST (UTC -5), due to four time zones, Monday through Friday. These hours may vary seasonally by one hour. Further, SUSE strongly recommends that synchronization occurs randomly for best performance.

Use a cron job for automatic synchronization by editing the crontab as root:

crontab -e

This opens the crontab in a text editor.

Use the first five fields (minute, hour, day, month, and weekday) to schedule the synchronization. Remember, hours use the 24-hour format (military time). Edit the crontab to include random synchronization:

# connect to customer center every day at random time
# between 03:03 and 05:50
3 3 * * * sleep $[ $RANDOM / 5 ]; /usr/sbin/mgr-ncc-sync >/dev/null \
2>/dev/null

This particular job will run randomly between 3:03 a.m. and 5:50 a.m. system time each night and redirect stdout and stderr from cron to prevent duplicating the more readable message from mgr-ncc-sync. Options other than --email can also be included. Once you exit the editor, the modified crontab is installed immediately.

[Note]SUSE Customer Center with mgr-sync

If you already switched to SUSE Customer Center, use the mgr-sync command.

8.11. Implementing PAM Authentication

As security measures become increasingly complex, SUSE Manager supports network-based authentication systems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that allows to integrate SUSE Manager with a centralized authentication mechanism, thus eliminating the need to remember multiple passwords.

SUSE Manager supports LDAP, Kerberos, and other network-based authentication systems via PAM. To enable SUSE Manager to use PAM in your organization's authentication infrastructure, set up a PAM service file and make SUSE Manager use it. Follow the steps below.

  1. On a SUSE Linux Enterprise Server 11 SP3 system, a typical generic PAM service file could look as follows (save it as /etc/pam.d/susemanager to make it work with the settings below):

    #%PAM-1.0
    auth        required      pam_env.so
    auth        sufficient    pam_krb5.so no_user_check
    auth        required      pam_deny.so
    account     required      pam_krb5.so no_user_check
  2. Make SUSE Manager use this service file (/etc/pam.d/susemanager) by adding the following line to /etc/rhn/rhn.conf:

    pam_auth_service = susemanager
  3. To enable a user to authenticate against PAM, on the SUSE Manager Web interface go to the Create User page and select the checkbox labeled Pluggable Authentication Modules (PAM) positioned below the password and password confirmation fields.

  4. Then finally YaST can be used to configure PAM when packages such as yast2-ldap-client and yast2-kerberos-client are installed; for detailed information on configuring PAM, see the SUSE Linux Enterprise Server Security Guide. This example is not limited to Kerberos; it is a generic example and uses the current server configuration. Note that only network-based authentication services are supported.

[Note]Changing Passwords

Changing the password on the SUSE Manager Web interface changes only the local password on the SUSE Manager server. But this password may not be used at all if PAM is enabled for that user. In the above example, for instance, the Kerberos password will not be changed.

For more information, see http://wiki.novell.com/index.php/SUSE_Manager/Authentication.

8.12. Enabling Push to Clients

In addition to allowing client systems to regularly poll SUSE Manager for scheduled actions, users can enable SUSE Manager to immediately initiate those actions on provisioning-entitled systems. Thus you avoid the typical delay between scheduling an action and the client system retrieving the action from SUSE Manager. This support is provided by the OSA dispatcher (osa-dispatcher), which is installed and started on the server by default.

OSA dispatcher is a service that periodically queries SUSE Manager server for commands to execute on the client. If any actions exist, it sends a message via jabberd to the osad instances running on the clients.

[Important]

It is mandatory to use SSL between SUSE Manager and the client systems for this feature to work. If the SSL certificates are not available, the daemon on the client system will fail to connect.

To use this feature, first configure your firewall rules to allow connections on the required ports as described in Section 3.3, “Additional Requirements”.

Finally, install the osad package on all client systems to receive pushed actions. The package can be found in the Tools child channel.

[Warning]

Do not install the osad package on the SUSE Manager server. The osad client package conflicts with the osa-dispatcher server package.

Once installed, start the service on the client systems as root using the command:

rcosad start

Like other services, rcosa-dispatcher and rcosad accept stop, restart, and status commands as well.

This feature depends on the client systems recognizing the fully qualified domain name (FQDN) of SUSE Manager. The client systems use this name and not the IP address of the server when configuring the YaST Online Update.

Now when you schedule actions from SUSE Manager on any of the push-enabled systems, the task will be carried out immediately rather than after a client checks in.

8.13. SSH Server Push

SSH Server Push is intended to be used in environments where clients cannot reach the SUSE Manager server to regularly check in and, for example, fetch package updates. Therefore the server will contact the clients in regular intervals (using SSH) to perform all actions via an encrypted channel.

This feature enables SUSE Manager within the internal network to manage clients in the DMZ. In such a scenario, for security reasons no system in the DMZ is allowed to open a connection into the internal network. Instead SSH Server Push with tunnel initiates the tunnel from the internal network. Once all actions are performed, the tunnel will be closed again.

8.13.1. Configuring SUSE Manager Server

For tunneling connections via ssh, two available high port numbers (> 1024) are needed, one for tunneling HTTP and another for tunneling HTTPS (while HTTP is only needed during the registration process). The port numbers used by default are 1232 and 1233. To overwrite these, add your values in /etc/rhn/rhn.conf like this:

ssh_push_port_http = high port 1
ssh_push_port_https = high port 2
[Note]Specifying Ports for Tunneling before Registering Clients

The ports for tunneling need to be specified before the first client is registered. Clients already registered before changing the port numbers, must be registered again, otherwise the server will not be able to contact them anymore.

In case the clients should be contacted via their hostnames instead of their IP addresses, set the following option:

ssh_push_use_hostname = true

It is also possible to adjust the number of threads to use for opening client connections in parallel. By default two parallel threads are used. Set taskomatic.ssh_push_workers in /etc/rhn/rhn.conf like this:

taskomatic.ssh_push_workers = number

8.13.2. Client Registration

Registration of a client that is unable to reach the server needs to be done on the server. Therefore we are shipping a tool called mgr-ssh-push-init, which obsoletes mgr-push-register. The latter could only set up clients to be managed via an SSH tunnel. The deprecated mgr-push-register script now simply calls the new one and will be removed with one of the next releases.

The new script provides the option to initialize and register a client to be managed via SSH push with or without tunneling. This command expects a client's hostname (or IP address) as well as the path to a valid bootstrap script in the server's file system as parameters for registration:

mgr-ssh-push-init --client client --register bootstrap_script --tunnel

For registration of systems that should be managed via SSH push, an activation key can be configured to enable this contact method. Go to Systems+Activation Keys and click on a key or create a new one. Select your preferred Push method from the dropdown menu and click on Update Activation Key.

All systems registered with an activation key will be pre-configured to be contacted by the server using the method specified in the key. Currently, the following server contact methods are available:

Pull via XMLRPC:

The longtime default: the clients contact the server.

Push via SSH:

The server will contact the clients using SSH and run rhn_check there.

Push via SSH tunnel:

The server will contact the clients and run rhn_check via an encrypted SSH tunnel.

For already registered clients it is still possible to change the contact method in the system details Web interface: On the Systems page select the system, click Edit These Properties and set the value in the Contact Method combobox, then click Update Properties.

To enable managing a client using Push via SSH (without tunneling), the same script can be used as with tunneling. Registration is optional since it can also be done from within the client in this case:

mgr-ssh-push-init --client client [--register bootstrap_script]

Note that mgr-ssh-push-init will automatically generate the necessary SSH key pair if it does not yet exist on the SUSE Manager server. The correct host keys of clients are being stored in the known_hosts file.

[Note]

When using the Push via SSH tunnel contact method, the client is configured to connect to SUSE Manager via high port[1|2]. Tools like rhn_check and zypper will need an active SSH session with the proper port forwarding options to access the SUSE Manager API. To verify the Push via SSH tunnel connection manually, you can run the following command on the SUSE Manager server:

ssh -i /root/.ssh/id_susemanager -R high port2:susemanager:443 client zypper ref

8.13.3. Proxy Support

Make sure that the latest maintenance updates with the registration tool are installed on the SUSE Manager Proxy system.

It is possible to use the SSH push contact methods to manage systems that are connected to the SUSE Manager server via a proxy. To register such a system, run mgr-ssh-push-init on the proxy server that is next to the respective client.

This will even work with a chain of cascading SUSE Manager proxies. The only known limitation is that the server needs to be able to directly connect to the last proxy in the chain.

8.14. Uploading and Maintaining Custom Packages

The mgrpush application allows you to serve custom packages associated with a private SUSE Manager channel through the SUSE Manager server. If you want the SUSE Manager server to serve only official SUSE Linux Enterprise or Red Hat Enterprise Linux packages, you do not need to install mgrpush.

All packages distributed through SUSE Manager should have a digital signature. A digital signature is created with a unique private key and can be verified with the corresponding public key. After creating a package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Before the package is installed, the public key is used to verify the package was signed by a trusted party and the package has not changed since it was signed.

8.14.1. Generating a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair, proceed as follows:

  1. Type the following command as root on the shell prompt:

         gpg --gen-key
        
  2. The command will prompt for key type. Choose option (2) DSA and ElGamal. This allows you to create a digital signature and encrypt/decrypt with two types of technologies.

  3. Choose the key size. The longer the key, the more resistant against attacks the messages are. Creating a key of at least 2048 bits in size is recommended.

  4. Next, specify how long the key needs to be valid. When choosing an expiration date, remember that anyone using the public key must also be informed of the expiration and supplied with a new public key. We recommended to not select an expiration date. If you do not specify an expiration date, you are asked to confirm that the key should not expire.

  5. In the next steps, provide a User-ID containing your name, your email address, and an optional comment. When finished, you are presented with a summary of the information you entered. Accept your choices and enter a passphrase.

    [Note]

    A good passphrase is essential for optimal security in GnuPG. Mix your passphrase with uppercase and lowercase letters, use numbers or punctuation marks.

  6. Once you enter and verify your passphrase, the keys are generated. A message will ask you to move the mouse or otherwise interact with the system to generate random data for the key. This part of the key generation process may take several minutes. When the activity on the screen ceases, your new keys are placed in the directory .gnupg in root's home directory. This is the default location for keys generated by the root user.

    To list the root keys, use the gpg --list-keys command.

  7. To retrieve the public key, use the command gpg --list-keys command. The public key is written to the file public_key.txt. This key must be deployed to all client systems that receive custom packages from SUSE Manager. Techniques for deploying this key across an organization are covered in Chapter 4, Importing Custom GPG Keys (↑Client Configuration Guide)

8.14.2. Signing Custom Packages

Before the rpm command can be used to sign packages, it needs to know the key to use. View the uid of your secret key:

   gpg --list-secret-keys | grep uid
   

Add the following lines to the ~/.rpmmacros

    %_signature gpg 
    %_gpg_path /etc/rpm/.gpg 
    %_gpg_name secret_key_uid 
    %_gpgbin /usr/bin/gpg 
   

Replace secret_key_uid with exactly the output from the gpg --list-secret-keys | grep uid command.

[Note]

RPMs can be signed during or after build. Determine if a package has already been signed with the command: rpm -qip filename.rpm.

If the RPM is already signed, check whether the signature is correct. If the existing signature is not correct, resign the package:

    rpm --resign filename.rpm 
   

If the RPM is not signed, sign it:

    rpm --addsign filename.rpm 
   

Check the value of the "Signature" tag to ensure that the RPM has been signed correctly:

    rpm -qip filename.rpm 
   

8.14.3. Uploading Custom Packages

To use mgrpush, install the rhnpush package and its dependencies. This package is available to registered SUSE Manager Server systems and is installed by running zypper in rhnpush.

mgrpush uploads RPM header information to the SUSE Manager server database and places the RPM in the SUSE Manager server package repository.

When mgrpush is installed, a central configuration file is installed in /etc/sysconfig/rhn/rhnpushrc. This file contains default values for all the options, which are described in the mgrpush manual page (man mgrpush).

Additionally, mgrpush looks for settings in the current directory (./.rhnpushrc) take precedent over those in the user's home directory (~/.rhnpushrc), which are used before those in the central configuration file (/etc/sysconfig/rhn/rhnpushrc). These distinct configuration files are useful in varying settings depending on the directory from which the mgrpush command is issued.

For instance the current directory configuration file can be used to specify:

  • the software channel to be populated,

  • the home directory configuration file to include the username to be invoked,

  • the central configuration file to identify the server to receive the packages.

8.15. Configuring Audit Log Keeper

Audit Log Keeper buffers incoming messages and delivers them to several destinations. A destination can be any type of storage, database, or search index as long as they are supported by Audit Log Keeper.

8.15.1. Installing Audit Log Keeper

Install the package auditlog-keeper to get its core functionality. Audit Log Keeper supports several output plugins, which can be installed if you need further logging capabilities. See Table 8.1, “Available Optional Log Keeper Plug-ins”.

Table 8.1. Available Optional Log Keeper Plug-ins

Package

Description

auditlog-keeper-rdbms

Stores log events into a relational database.

auditlog-keeper-syslog

Stores log events on a remote syslog server; supports TCP, UDP, and local connections.

auditlog-keeper-xmlout

Writes its log events into an XML file.


Apart from the core package and optional plug-ins, you need to install at least one schema validator. Schema validators are sanitation filters that reject inaccurate data from the client components and assures that the logging events are described in a standardized format. For SUSE Manager install the package auditlog-keeper-spacewalk-validator.

8.15.2. Configuring Audit Log Keeper

Audit Log Keeper is a solution which is independent from SUSE Manager. As such, it first needs to be enabled before it can collect log events. To enable Audit Log Keeper to write its log events to /var/log/messages, add the following line anywhere in /etc/rhn/rhn.conf:

audit.enabled=1

Restart the SUSE Manager server by running the following command:

spacewalk-service restart

After the command is successfully executed, Audit Log Keeper is correctly enabled and executed. To also enable Audit Log Keeper on system startup, use the following command as user root:

chkconfig auditlog-keeper on

Apart from the above first steps, it is a good idea to change the default credentials. Proceed as follows:

Procedure 8.3. Changing Default Credentials

  1. Log in as root. Stop the Audit Log Keeper and SUSE Manager server:

    rcauditlog-keeper stop
    spacewalk-service stop
  2. Remove table files manually:

    rm /var/opt/auditlog-keeper/auditlog*
  3. Change the password in the config file for the backend.db.auth.user and backend.db.auth.password fields:

    auditlog-keeper --configure

    Save the new configuration by pressing :+w+q and hit Enter.

  4. Start the Audit Log Keeper and SUSE Manager server again:

    rcauditlog-keeper start
    spacewalk-service start

Find further information about Audit Log Keeper plugins and how to configure at http://wiki.novell.com/index.php/AuditLogKeeper. An FAQ can be found at http://wiki.novell.com/index.php/AuditLogKeeperFAQ.

8.16. Generating Spacewalk Reports

The spacewalk-report tool creates a report from the SUSE Manager server in a comma separated value (CSV) format.

8.16.1. Options for spacewalk-report

The spacewalk-report offers some options, which are briefly explained in Table 8.2, “Options for spacewalk-report.

Table 8.2. Options for spacewalk-report

--db

Passes alternative database string (username/password@sid); default is taken from /etc/rhn/rhn.conf (default_db keyword).

--info

Prints available reports.

--list-fields

Lists fields of the report.

--list-fields-info

Same as --list-fields.


8.16.2. Using spacewalk-report

To get an overview of available reports, use the --info option:

spacewalk-report --info
channel-packages: Packages in channels
channels: Channel report
entitlements: Entitlement and channel list and usage
errata-list: Errata out of compliance information - errata details
errata-list-all: List of all erratas
errata-systems: Errata out of compliance information - erratas for systems
inventory: Inventory report
users: Users in the system
users-systems: Systems administered by individual users

This gives you a list of all available report generators and their description. For example, to list all the available channels, use this command:

spacewalk-report channels
channel_label,channel_name,number_of_packages
sles11-sp1-pool-i586,SLES11-SP1-Pool for i586,0
sles11-sp1-pool-x86_64,SLES11-SP1-Pool for x86_64,0

If you need to get a list of all users, pass the users option to the command:

spacewalk-report users
organization_id,organization,user_id,username,last_name,first_name,position,email,role,creation_time,last_login_time,active
1,Penguin Inc.,1,admin,Penguin,Tux,,tux@example.org,Organization Administrator;SUSE Manager Administrator,2012-03-19 15:59:40,2012-03-21 13:43:45,enabled

8.17. Online Migration with YaST Wagon

An online migration is conveniently performed with YaST Wagon.

  1. Run /usr/sbin/wagon as root from the command line.

  2. Confirm the Welcome dialog with Next.

  3. If Wagon finds that the requirements are not met (required maintenance updates are available but not yet installed), it will do an automatic self-update, which may require a reboot. Follow the on-screen instructions.

  4. Choose the update method in the following dialog. Select Customer Center to use the default setup (recommended).

    Click Custom URL to manually choose the software channels used for the online migration. A list of channels will be displayed, providing the opportunity to manually enable, disable, add, or delete channels. Add the SUSE Manager update source(s). This can either be the SUSE Manager installation media or the SUSE-Manager-Server-2.1-Pool and SUSE-Manager-Server-2.1-Updates channels. Click OK to return to the Update Method dialog.

    If you want to review changes to the channel setup caused by the update process, select Check Automatic Repository Changes.

    Proceed with Next.

  5. The system will be re-registered. During this process the Pool and Updates channels will be added to the system. Confirm the addition of the channels.

  6. If you have selected Check Automatic Repository Changes in the Update Method dialog, the list of repositories will be displayed, providing the opportunity to manually enable, disable, add, or delete channels. Proceed with OK when finished.

  7. The Distribution Upgrade Settings screen opens and presents a summary of the update configuration. The following sections are available:

    Add-On Products

    Do not select any add-on products during migration.

    Update Options

    Lists the actions that will be performed during the update. You can choose whether to download all packages before installing them (default, recommended), or whether to download and install packages one by one.

    Packages

    Statistical overview of the update.

    Backup

    Set backup options.

    Click Next and Start The Update to proceed.

    [Important]Aborting the Online Migration

    It is safe to abort the online migration on this screen prior to clicking Start The Update and on all previous screens. Click Abort to leave the update procedure and restore the system to the state it was in prior to starting YaST Wagon. Follow the instructions on screen and perform a re-registration before leaving Wagon to remove obsolete channels from your system.

  8. During the update procedure the following steps are executed:

    1. Packages will be updated.

    2. The system will be rebooted (press OK).

    3. The newly updated system will be re-registered.

  9. After the service pack migration has finished successfully, reboot the server. Then, to complete the SUSE Manager server upgrade run:

    /usr/lib/susemanager/bin/susemanager-upgrade.sh
  10. Your system has been successfully updated to SUSE Manager 2.1.

[Important]Upgrading the Database Schema

During first startup several errors will occur because of an invalid database schema. Run the script susemanager-upgrade, which prepares the database for the schema upgrade, performs the upgrade, and converts configuration variables from rhn.conf to the database.

Chapter 9. For More Information

Abstract

SUSE Manager

This guide gave you a short introduction to SUSE Manager. To discover more, refer to the other manuals available for SUSE Manager. Find them at http://www.suse.com/documentation/suse_manager. Alternatively, access them from the SUSE Manager Web interface by selecting Help from the top navigation bar.

Novell Wiki

On the Novell Wiki you can read articles about this product and add tips and tricks yourself. Find them at http://wiki.novell.com/index.php/SUSE_Manager.

SUSE Manager Twitter Account

Stay in contact with our Twitter account and get the latest news at http://twitter.com/susemanager.

Novell Customer Center

For detailed information about the NCC, refer to the NCC guide available at http://www.novell.com/documentation/ncc.

KVM

For detailed information about KVM refer to the guide Virtualization with KVM, available at http://www.suse.com/documentation/sles11.

Appendix A. Documentation Updates

This section contains information about documentation content changes made to the Installation & Troubleshooting Guide.

This document was updated on the following dates:

A.1. October 20, 2016

Updates were made to the following section. The changes are explained below.

Section 3.1.2, “Supported Client Systems”

SUSE Linux Enterprise 10 SP3 and SP4 and SUSE Linux Enterprise 11 SP3 are no longer supported client systems.

Section 4.5.2, “Setup of SUSE Channels and Products”

More information on synchronizing RHEL channels.

A.2. February 24, 2016

Updates were made to the following section. The changes are explained below.

Section 3.3, “Additional Requirements”

Add list of external contact addresses.

Section 4.6, “Satellite to SUSE Manager Server Migration”

Warn to make sure to migrate to SCC first.

Section 7.17, “Multiple Mirror Credentials”

Add section about using this feature with SCC.

Section 8.12, “Enabling Push to Clients”

The osa-dispatcher server package is installed by default.

A.3. December 17, 2015

Updates were made to the following section. The changes are explained below.

General

Move Chapter 7, Performing a System Upgrade (Offline Migration) (↑Client Configuration Guide) to Client Configuration Guide (↑Client Configuration Guide).

Section 3.1.2, “Supported Client Systems”

As supported client systems also list SUSE Linux Enterprise 11 SP4 and remove SP1 and SP2.

A.4. September 25, 2015

Updates were made to the following section. The changes are explained below.

Section 3.1.2, “Supported Client Systems”

Update feedback section.

Section 3.1.2, “Supported Client Systems”

As supported client systems also list Novell Open Enterprise Server 11 SP2.

Section 3.3, “Additional Requirements”

For debugging, link to Section 7.6, “Log Files” (https://bugzilla.suse.com/show_bug.cgi?id=931239).

Section 4.2, “Installation”

Add information SUSE Customer Center registration instead of NCC at the end of the initial SUSE Manager setup (https://bugzilla.suse.com/show_bug.cgi?id=907525).

Section 4.3, “Setup”

Now use mgr-sync and SCC (https://bugzilla.suse.com/show_bug.cgi?id=907825).

Section 4.6, “Satellite to SUSE Manager Server Migration”

Now use SCC (https://bugzilla.suse.com/show_bug.cgi?id=907825).

Section 4.4, “Setup Without Internet Connection”

Add information about using SUSE Customer Center (https://bugzilla.suse.com/show_bug.cgi?id=937046).

Section 4.5.2, “Setup of SUSE Channels and Products”

Now use spacewalk-remove-channel to remove SUSE channels (https://bugzilla.suse.com/show_bug.cgi?id=917771).

Section 7.3, “Configuring Reliable SUSE Manager Setup”

New section (https://bugzilla.suse.com/show_bug.cgi?id=919093).

Section 7.1.3, “Mail and Notification Issues”

New section (https://bugzilla.suse.com/show_bug.cgi?id=933298).

Section 7.6, “Log Files”

Recommend 4096 for taskomatic.maxmemory (https://bugzilla.suse.com/show_bug.cgi?id=931239).

Section 7.9, “Using a Proxy with Certificates to Access the Internet”

New section (https://bugzilla.suse.com/show_bug.cgi?id=912339).

Section 7.12, “RPC Connection Timeout Settings”

Fix variable name for proxy timeout setting (https://bugzilla.suse.com/show_bug.cgi?id=929379).

Section 8.10, “Automating Synchronization”

Recommend using mgr-sync with SUSE Customer Center.

A.5. July 31, 2015

Updates were made to the following section. The changes are explained below.

Section 3.1.2, “Supported Client Systems” xrefstyle="SectTitleOnPage"/>

As supported client systems also list SUSE Linux Enterprise 12 and Red Hat Enterprise Linux 7.

Warn about registering a SUSE Manager instance against itself (https://bugzilla.suse.com/show_bug.cgi?id=919445).

Chapter 5, SUSE Manager on IBM z Systems xrefstyle="SectTitleOnPage"/>

New chapter.

A.6. February 12, 2015

Updates were made to the following section. The changes are explained below.

Section 8.2, “Updating SUSE Manager” xrefstyle="SectTitleOnPage"/>

Remove misleading database start command.

Section “Autoinstallation > Distributions — [Prov]” (Chapter 3, Systems, ↑User Guide) xrefstyle="SectTitleOnPage"/>

More detailed description where you will find information about the installation data (source) to be provided.

Section 3.3, “Additional Requirements” xrefstyle="SectTitleOnPage"/>

Also Virtual Environments require now 4 GB of RAM or more.

Section 4.5.2, “Setup of SUSE Channels and Products”

Add note about Expanded Support setup.

Section “Activation Keys — [Mgmt]” (Chapter 3, Systems, ↑User Guide)

Explicitly list the activation key separator.

Section 8.6, “Configuring SUSE Manager's Database (smdba)”

Remove list of control options here; they are also listed in Section “Configuring SUSE Manager's Database (smdba)” (Appendix A, Command Line Configuration Management Tools, ↑Reference Guide).

Section 8.6.5, “Archive Log Settings”

Fix link to archive logs.

Section 8.11, “Implementing PAM Authentication”

Update PAM settings.

A.7. February 6, 2015

Updates were made to the following section. The changes are explained below.

A.8. December 5, 2014

Updates were made to the following section. The changes are explained below.

Section 6.4.2, “Configuring Slave Servers”

Note on slave servers and SCC.

Section 8.17, “Online Migration with YaST Wagon

Online applet does not exist on a SUSE Manager standard installation.

Add step to call susemanager-upgrade.sh.

A.9. April 30, 2014

Section 8.14, “Uploading and Maintaining Custom Packages”

New sections on generating GPG keys and signing custom packages.

A.10. April 29, 2014

Information on installation and initial setup has been consolidated.

Installation & Troubleshooting Guide

Quick Start and Installation & Troubleshooting Guide merged into one guide. Quick Start is now obsolete.

A.11. November 22, 2013

Updates were made to the following sections. The changes are explained below.

A.11.1. Installation

Section 4.1, “Summary of Steps”

Add warning about SUSE Manager renaming.

A.11.2. Troubleshooting

Section 7.2, “General Problems”

Move this section to the beginning of the chapter.

Section 7.2, “General Problems”

Add PostgreSQL as an embedded database.

Section 7.7, “Naming Custom Channels”

New section.

Section 7.8, “Accessing Local Channels without Proxy”

Enhance server.satellite.no_proxy description.

Section 7.13, “Connection Errors”

Fix location of ssl.crt/server.crt.

Section 7.18, “Invoking spacecmd”

New section.

A.11.3. Maintenance

Section 8.2, “Updating SUSE Manager”

Add PostgreSQL start command.

Section 8.6.3, “Backing up the Database”

Cleanup the PostgreSQL related procedure.

A.12. September 9, 2013

Updates were made to the following sections. The changes are explained below.

A.12.1. Importing and Synchronizing with Inter-Server Sync

A.13. August 23, 2013

Updates were made to the following sections. The changes are explained below.

A.13.1. Meta Information

A.13.2. Installation

Chapter 4, Installation

Move listing of new features and changes to Appendix F, Changes (↑Reference Guide).

A.13.3. Importing and Synchronizing

A.13.5. Maintenance

Section 8.6, “Configuring SUSE Manager's Database (smdba)”

Add an explaining note: Running smdba requires proper sudo enablement. root no longer is allowed to run smdba.

Section 8.6.3, “Backing up the Database”

Better distinguish between creating backups for PostgreSQL or oracle.

Section 8.6.5, “Archive Log Settings”

New section.

Section 8.7, “Cloning SUSE Manager with the Embedded Database”

Replace DB control with smdba and change procedure for clarification.

Section 8.10, “Automating Synchronization”

Fix and improve crontab entry. Specify full path to the command.

Section 8.13, “SSH Server Push”

New section.

Chapter 7, Performing a System Upgrade (Offline Migration) (↑Client Configuration Guide)

mgr-ncc-sync requires --all-childs to list all channels.

A.14. January 25, 2013

Updates were made to the following sections. The changes are explained below.

A.14.1. Installation

Section 4.4, “Setup Without Internet Connection”

Refresh the data in the database (mgr-ncc-sync) before triggering the sync.

A.14.2. Troubleshooting

Section 7.17, “Multiple Mirror Credentials”

Clarify warning about removing channels.

A.15. November 28, 2012

Updates were made to the following sections. The changes are explained below.

A.15.2. Maintenance

SUSE Manager 2.1

User Guide

Publication Date 19 Oct 2016

Copyright © 2016 SUSE LLC

Copyright © 2011-2014 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution-Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

This document is an adaption of original works found at https://access.redhat.com/site/documentation/en-US/Red_Hat_Network_Satellite/5.4/ and https://access.redhat.com/site/documentation/en-US/Red_Hat_Network_Satellite/5.5/ and https://access.redhat.com/site/documentation/en-US/Red_Hat_Satellite/.

Red Hat, as a licensor of these documents, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries. All other trademarks are the property of their respective owners.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. Linux* is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.


Contents

About This Guide
1. Available Documentation
2. Feedback
3. Documentation Conventions
1. SUSE Customer Center (SCC) and Organization Credentials (Mirroring Credentials)
1.1. Getting your SUSE Customer Center Organization Credentials (Mirroring Credentials)
1.2. SUSE Customer Center (SCC)
2. Web Interface — Navigation and Overview
2.1. Navigation
2.2. Overview
2.3. Your Account
2.4. Your Preferences
2.5. Locale Preferences
2.6. Subscription Management
2.7. Organization Trusts
3. Systems
3.1. Overview — [Mgmt]
3.2. Systems
3.3. System Groups — [Mgmt]
3.4. System Set Manager — [Mgmt]
3.5. Advanced Search — [Mgmt]
3.6. Activation Keys — [Mgmt]
3.7. Stored Profiles — [Mgmt]
3.8. Custom System Info — [Prov]
3.9. Autoinstallation — [Prov]
4. Patches
4.1. Relevant Patches
4.2. All Patches
4.3. Advanced Search
4.4. Manage Patches
5. Channels
5.1. Software Channels
5.2. Package Search
5.3. Manage Software Channels
6. Audit
6.1. CVE Audit
6.2. OpenSCAP
7. System Security via OpenSCAP
7.1. OpenSCAP Features
7.2. Prerequisites for Using OpenSCAP in SUSE Manager
7.3. Performing Audit Scans
7.4. Viewing SCAP Results
7.5. OpenSCAP SUSE Manager Web Interface
8. Configuration
8.1. Preparing Systems for Config Management
8.2. Overview
8.3. Configuration Channels
8.4. Configuration Files
8.5. Systems
9. Schedule
9.1. Pending Actions
9.2. Failed Actions
9.3. Completed Actions
9.4. Archived Actions
9.5. Action Chains
9.6. Actions List
10. Users — [Mgmt]
10.1. User List > Active — [Mgmt]
10.2. User List > Deactivated — [Mgmt]
10.3. User List > All — [Mgmt]
11. Monitoring — [Mon]
11.1. Status — [Mon]
11.2. Scout Config Push — [Mon]
11.3. Notification — [Mon]
11.4. Probe Suites — [Mon]
11.5. General Monitoring Config — [Mon]
12. Admin
12.1. Admin > Setup Wizard
12.2. Admin > Organizations
12.3. Admin > Subscriptions
12.4. Admin > Users
12.5. Admin > SUSE Manager Configuration
12.6. Admin > ISS Configuration
12.7. Admin > Task Schedules
12.8. Admin > Task Engine Status
12.9. Admin > Show Tomcat Logs
13. Help
13.1. SUSE Manager Installation & Troubleshooting Guide
13.2. SUSE Manager User Guide
13.3. SUSE Manager Proxy Quick Start
13.4. SUSE Manager Reference Guide
13.5. SUSE Manager Client Configuration Guide
13.6. Release Notes
13.7. Search
A. Documentation Updates
A.1. February 24, 2016
A.2. January 20, 2016
A.3. September 25, 2015
A.4. February 6, 2015
A.5. December 5, 2014
A.6. May 15, 2014
A.7. April 28, 2014
A.8. April 25, 2014
A.9. April 24, 2014
A.10. April 22, 2014
A.11. April 4, 2014
A.12. April 1, 2014
A.13. March 31, 2014
A.14. March 29, 2014
A.15. March 28, 2014

List of Tables

2.1. Entitlement Markers

About This Guide

SUSE® Manager enables you to efficiently manage a set of Linux systems and keep them up-to-date. It provides automated and cost-effective software management, asset management, system provisioning, and monitoring capabilities. SUSE Manager is compatible with Red Hat Satellite Server and offers seamless management of both SUSE® Linux Enterprise and Red Hat Enterprise Linux client systems.

This manual explains the features of the Web interface and is intended for SUSE Manager administrators and administrators with restricted roles for specific tasks. On certain topics we also provide background information, while some chapters contain links to additional documentation resources. The latter include additional documentation available on the installed system as well as documentation on the Internet.

For an overview of the documentation available for your product and the latest documentation updates, refer to http://www.suse.com/documentation/suse_manager/ or to the following section.

HTML versions of the manuals are also available from the Help tab of the SUSE Manager Web interface.

[Note]Obtaining the Release Notes

Although this manual reflects the most current information possible, read the SUSE Manager Release Notes for information that may not have been available prior to the finalization of the documentation. The notes can be found at http://www.suse.com/documentation/suse_manager/.

1. Available Documentation

The following manuals are available on this product:

Installation & Troubleshooting Guide (↑Installation & Troubleshooting Guide)

Lists installation scenarios and example topologies for different SUSE Manager setups. Guides you step by step through the installation, setup and basic configuration of SUSE Manager. Also contains detailed information about SUSE Manager maintenance and troubleshooting.

Proxy Quick Start (↑Proxy Quick Start)

Gives an overview of the installation and setup of SUSE Manager Proxy.

User Guide

Guides through common use cases and explains the Web interface.

Client Configuration Guide (↑Client Configuration Guide)

Describes best practices for setting up clients to connect to a SUSE Manager server or SUSE Manager Proxy.

Reference Guide (↑Reference Guide)

Reference documentation that covers administration topics like registering and updating client systems, configuring the SUSE Manager daemon, monitoring client systems, and more. Also contains a glossary with key terms used in the SUSE Manager context.

HTML versions of the product manuals can be found in the installed system under /usr/share/doc/manual. Find the latest documentation updates at http://www.novell.com/documentation where you can download PDF or HTML versions of the manuals for your product.

2. Feedback

Several feedback channels are available:

Bugs and Enhancement Requests

For services and support options available for your product, refer to http://www.suse.com/support/.

To report bugs for a product component, go to https://scc.suse.com/support/requests, log in, and click Create New.

User Comments

We want to hear your comments about and suggestions for this manual and the other documentation included with this product. Use the User Comments feature at the bottom of each page in the online documentation or go to http://www.suse.com/doc/feedback.html and enter your comments there.

Mail

For feedback on the documentation of this product, you can also send a mail to doc-team@suse.de. Make sure to include the document title, the product version and the publication date of the documentation. To report errors or suggest enhancements, provide a concise description of the problem and refer to the respective section number and page (or URL).

3. Documentation Conventions

The following typographical conventions are used in this manual:

  • /etc/passwd: directory names and filenames.

  • placeholder: replace placeholder with the actual value.

  • PATH: the environment variable PATH.

  • ls, --help: commands, options, and parameters.

  • user: users or groups.

  • Alt, Alt+F1: a key to press or a key combination; keys are displayed with uppercase letters as on a keyboard.

  • File, File+Save As: menu items, buttons.

  • ►amd64 em64t: This paragraph is only relevant for the specified architectures. The arrows mark the beginning and the end of the text block.

  • Dancing Penguins (Chapter Penguins, ↑Another Manual): This is a reference to a chapter in another manual.

Chapter 1. SUSE Customer Center (SCC) and Organization Credentials (Mirroring Credentials)

SUSE Customer Center (SCC) is the place to manage your SUSE subscriptions, access software updates and get in contact with SUSE Customer Support. The registration flow allows you to get access to your patches and updates.

1.1. Getting your SUSE Customer Center Organization Credentials (Mirroring Credentials)

Start a Web browser and navigate to https://scc.suse.com. On the SUSE Customer Center (SCC) login page, log in to view your organization credentials and see all entitlements for your registered systems. If you have not yet registered a system or do not have a SUSE account, create a new account by following the Create an account link. After creating a new user account, you must register a system before using SUSE Manager. On the SUSE Customer Center Web page, activate the Organization tab to get your Organization Credentials (mirroring credentials) needed to access the channels for your SUSE products. For information about SCC, refer to the SCC help available at http://scc.suse.novell.com/docs/help.

1.2. SUSE Customer Center (SCC)

SUSE Customer Center (SCC) is the successor of the Novell Customer Center. On SCC, you now see all your subscriptions. Products before SUSE Linux Enterprise 12 such as SUSE Linux Enterprise Server 11 SP3 or SUSE Linux Enterprise Server 10 SP4 continue to be available via NCC and can be managed with NCC related tools such as mgr-ncc-sync. For SUSE Linux Enterprise 12 as SUSE Manager clients, using SCC is a prerequisite. Of course, SCC is ready for all product lines and thus it is recommended to manage older products such as SUSE Linux Enterprise Server 11 SP3 or SUSE Linux Enterprise Server 10 SP4 via SCC, too.

1.2.1. Migrating a Configured SUSE Manager to SCC

[Note]Subscription Management Tool (SMT)

If your SUSE Manager server is connected to a Subscription Management Tool (SMT) server, first switch the SMT server to SUSE Customer Center (SCC), then switch the SUSE Manager server.

To migrate your SUSE Manager server to SCC perform an update as usual (see Section “Updating SUSE Manager” (Chapter 8, Maintenance, ↑Installation & Troubleshooting Guide)) and enable SCC before refreshing your customer center data with the following commands (if you prefer the Web interface, see later in this section):

Procedure 1.1. Migrating to and Enabling SCC with Command Line Tools

  1. Stop the Spacewalk service:

    spacewalk-service stop
  2. Apply the SUSE Manager update using either zypper or YaST Online Update.

  3. Upgrade the database schema with

    spacewalk-schema-upgrade
  4. Start the Spacewalk service:

    spacewalk-service start
  5. Call mgr-sync to enable SCC:

    mgr-sync enable-scc
    [Note]Disable Obsolete Cron Jobs

    After switching to SCC, disable or delete obsolete cron jobs that you might have enabled for mgr-ncc-sync (see Section “Automating Synchronization” (Chapter 8, Maintenance, ↑Installation & Troubleshooting Guide)) or mgr-inter-sync.

  6. Call mgr-sync to refresh your customer center data:

    mgr-sync refresh

You can perform the migration to SCC with the Web interface as well. The Web interface will detect when the migration is possible after an update of the SUSE Manager server, and display such a note:

Figure 1.1. Web Interface: SCC Migration Note

Web Interface: SCC Migration Note

Click Migrate in the text of the note to open the SUSE Customer Center dialog of the Admin tab.

Figure 1.2. Web Interface: SCC Configuration

Web Interface: SCC Configuration

Then click Start Migration to SUSE Customer Center to perform the actual migration to SCC.

1.2.2. Installing SUSE Manager and Using SCC

Perform a SUSE Manager installation as usual and register preliminarily at NCC (see Chapter 4, Installation (↑Installation & Troubleshooting Guide)). At the end of the installation, download and apply all available online updates with YaST or zypper. Then run the YaST setup program (yast susemanager_setup). At the end of the setup routine, you will be asked to register your product at SCC.

Chapter 2. Web Interface — Navigation and Overview

2.1. Navigation

The top navigation bar is divided into tabs. SUSE Manager Administrators see Figure 2.1, “Top Navigation Bar—SUSE Manager” as the top navigation bar. Note that only SUSE Manager Administrators see the Monitoring and Admin tabs.

Figure 2.1. Top Navigation Bar—SUSE Manager

Top Navigation Bar—SUSE Manager

The left navigation bar is divided into pages. The links are context-sensitive. The Figure 2.2, “Left Navigation Bar—Users” is an example of the left navigation bar for the Users tab.

Figure 2.2. Left Navigation Bar—Users

Left Navigation Bar—Users

Some pages have subtabs. These tabs offer an additional layer of granularity in performing tasks for systems or users. Figure 2.3, “Subtabs—System Details” is a menu bar for all System Details subtabs. This system has Management and Provisioning entitlements, but not Monitoring.

Figure 2.3. Subtabs—System Details

Subtabs—System Details

2.1.1. Entitlement Views

Keep in mind, since this guide covers all entitlement levels, some tabs, pages, and even whole categories described here may not be visible to you. For this reason, text markers are used here to identify, which functions are available to each entitlement level.

Table 2.1. Entitlement Markers

Marker

Entitlement

[Mgmt]

Management or higher

[Prov]

Provisioning

[Mon]

Monitoring


If no marker follows a category, page, or tab label in this documentation, the area described is available to all SUSE Manager users. If a marker follows, the associated entitlement is required. Provisioning inherits all the functions of Management. Management features are visible to users with Provisioning entitlement, but not vice versa.

If a marker precedes a paragraph in this documentation, only the part of the page or tab discussed afterwards requires the indicated entitlement level. When a page or tab is associated with a particular entitlement level, all of its tabs and subtabs require at least the same entitlement level but may need a higher entitlement. Regardless, each tab is identified separately.

2.1.2. Categories and Pages

This section summarizes all of the categories and primary pages (those linked from the top and left navigation bars) within the SUSE Manager Web interface. It does not list the many subpages, tabs and subtabs accessible from the left navigation bar and individual pages. Each area of the Web interface is explained in detail later in this chapter.

  • Overview — View and manage your primary account information and get help.

    • Overview — Obtain a quick overview of your account. This page notifies you if your systems need attention, provides a quick link directly to these systems, and displays the most recent patch alerts for your account.

    • Your Account — Update your personal profile and addresses.

    • Your Preferences — Indicate if you wish to receive email notifications about available patches for your systems. Set how many items are displayed in system and group lists. Select your preferred CSV separator.

    • Locale Preferences — Configure timezone.

    • Subscription Management — Manage base and add-on system entitlements, such as Management, Provisioning, and Virtualization.

    • Organization Trusts — Display the trusts established with your organization.

  • Systems — Manage all your systems (including virtual guests) here.

    • Overview — [Mgmt] — View a summary of your systems or system groups showing how many available patches each system has and which systems are entitled.

    • Systems — Select and view subsets of your systems by specific criteria, such as Virtual Systems, Unentitled, Recently Registered, Proxy, and Inactive.

    • System Groups — [Mgmt] — List your system groups. Create additional groups.

    • System Set Manager — [Mgmt] — Perform various actions on sets of systems, including scheduling patch updates, package management, listing and creating new groups, and managing channel entitlements.

    • Advanced Search — [Mgmt] — Quickly search all your systems by specific criteria, such as name, hardware, devices, system info, networking, packages, and location.

    • Activation Keys — [Mgmt] — Generate an activation key for a SUSE Manager-entitled system. This activation key can be used to grant a specific level of entitlement or group membership to a newly registered system using the rhnreg_ks command.

    • Stored Profiles — [Prov] — View system profiles used to provision systems.

    • Custom System Info — [Prov] — Create and edit system information keys with completely customizable values assigned while provisioning systems.

    • Autoinstallation — [Prov] — Display and modify various aspects of autoinstallation profiles (Kickstart and AutoYaST) used in provisioning systems.

  • Patches — View and manage patch (errata) alerts here.

    • Patches — Lists patch alerts and downloads associated RPMs.

    • Advanced Search — Search patch alerts based on specific criteria, such as synopsis, advisory type, and package name.

    • Manage Patches — Manage the patches for an organization's channels.

    • Clone Patches — Clone patches for an organization for ease of replication and distribution across an organization.

  • Channels — View and manage the available SUSE Manager channels and the files they contain.

    • Software Channels — View a list of all software channels and those applicable to your systems.

    • Package Search — Search packages using all or some portion of the package name, description, or summary, with support for limiting searches to supported platforms.

    • Manage Software Channels — [Prov] — Create and edit channels used to deploy configuration files.

    • Distribution Channel Mapping — [Prov] — Define default base channels for servers according to their operating system or architecture when registering.

  • Audit — View and search CVE audits and OpenSCAP scans.

    • CVE Audit — View a list of systems with their patch status regarding a given CVE (Common Vulnerabilities and Exposures) number.

    • OpenSCAP — View and search OpenSCAP scans.

  • Configuration — Keep track of and manage configuration channels, actions, and individual configuration files.

    • Overview — A general dashboard view that shows a configuration summary.

    • Configuration Channels — List and create configuration channels from which any subscribed system can receive configuration files.

    • Configuration Files — List and create files from which systems receive configuration input.

    • Systems — List the systems that have SUSE Manager-managed configuration files.

  • Schedule — Keep track of your scheduled actions.

    • Pending Actions — List scheduled actions that have not been completed.

    • Failed Actions — List scheduled actions that have failed.

    • Completed Actions — List scheduled actions that have been completed. Completed actions can be archived at any time.

    • Archived Actions — List completed actions that have been selected to archive.

    • Action Chains — View and edit defined action chains.

  • Users — [Prov] — View and manage users in your organization.

    • User List — [Prov] — List users in your organization.

  • Monitoring — [Mon] — Run probes and receive notifications regarding systems.

    • Status — [Mon] — View probes by state.

    • Scout Config Push — [Mon] — Display the status of your monitoring infrastructure.

    • Notification — [Mon] — View contact methods established for your organization.

    • Probe Suites — [Mon] — Manage your monitoring infrastructure using suites of monitoring probes that apply to one or more assigned systems.

  • Admin (visible only to SUSE Manager administrators) — Use the Setup Wizard to configure SUSE Manager. List, create, and manage one or more SUSE Manager organizations. The SUSE Manager administrator can assign channel entitlements, create and assign administrators for each organization, and other tasks.

    • Setup Wizard — Streamlined configuration of basic tasks.

    • Organizations — List and create new organizations.

    • Subscriptions — List and manage the software and system entitlements for all organizations covered by SUSE Manager.

    • Users — List all users known by SUSE Manager, across all organizations. Click individual user names to change administrative privileges of the user.

      [Note]

      Users created for organization administration can only be configured by the organization administrator, not the SUSE Manager administrator.

    • SUSE Manager Configuration — Make General configuration changes to the SUSE Manager server, including Proxy settings, Certificate configuration, Bootstrap Script configuration, Organization changes, and Restart the SUSE Manager server.

    • ISS Configuration — Configure master and slave servers for inter-server synchronization.

    • Task Schedules — View and create schedules.

    • Task Engine Status — View the status of the various tasks of the SUSE Manager task engine.

    • Show Tomcat Logs — Display the log entries of the Tomcat server, on which the SUSE Manager server is running.

  • Help — List references to available help resources.

2.1.3. Patch Alert Icons

Throughout SUSE Manager you will see three patch (errata) alert icons. represents a security alert. represents a bug fix alert. represents an enhancement alert.

In the Overview page, click on the patch advisory to view details about the patch or click on the number of affected systems to see which are affected by the patch alert. Both links take you to tabs of the Patch Details page. Refer to Section 4.2.2, “Patch Details” for more information.

2.1.4. Quick Search

In addition to the Advanced Search functionality for Packages, Patches (Errata), Documentation, and Systems offered within some categories, SUSE Manager also offers a Quick Search tool near the top of each page. To use it, select the search item (choose from Systems, Packages, Documentation, and Patches) and type a keyword to look for a name match. Click the Search button. Your results appear at the bottom of the page.

If you misspell a word during your search query, the SUSE Manager search engine performs approximate string (or fuzzy string) matching, returning results that may be similar in spelling to your misspelled queries.

For example, if you want to search for a certain development system called test-1.example.com that is registered with SUSE Manager, but you misspell your query tset, the test-1.example.com system still appears in the search results.

[Note]

If you add a distribution or register a system with a SUSE Manager server, it may take several minutes for it to be indexed and appear in search results.

2.1.5. Systems Selected

On the System Overview page, if you mark the check box next to a system, a tool for keeping track of the systems you have selected for use in the System Set Manager pops up on the top right corner. At any time, it identifies the number of selected systems and provides the means to work with them. Clicking the Clear button deselects all systems while clicking the Manage button launches the System Set Manager with your selected systems in place.

These systems can be selected in a number of ways. Only systems with at least a Management entitlement are eligible for selection. On all system and system group lists, a Select column exists for this purpose. Select the check boxes next to the systems or groups and click the Update List button below the column. Each time the Systems Selected tool at the top of the page changes to reflect the new number of systems ready for use in the System Set Manager. Refer to Section 3.4, “System Set Manager — [Mgmt]” for details.

2.1.6. Lists

The information within most categories is presented in the form of lists. These lists have some common features for navigation. For instance, you can navigate through virtually all lists by clicking the back and next arrows above and below the right side of the table. Some lists also offer the option to retrieve items alphabetically by clicking letters above the table.

[Note]Performing Large List Operations

Performing operations on large lists—such as removing RPM packages from the database with the SUSE Manager Web interface—may take some time and the system may become unresponsive or signal Internal Server Error 500. Nevertheless, the command will succeed in the background if you wait long enough.

2.2. Overview

Entering the SUSE Manager URL in a browser takes you to the Sign in screen. If you click on the About tab before logging in, you will find documentation links, including a search function, and the option to request your login credentials if you forgot either password or login. Click on Lookup Login/Password.

[Note]

If you forgot your password, enter your SUSE Manager Login and Email Address in the Password Reset section and click the Send Password button. Your password will be reset and sent to you. If you cannot remember your username, enter your Email Address in the Login Information section, then click on Send Login. Your username will be sent to you.

After logging into the Web interface of SUSE Manager, the first page to appear is Overview. This page contains important information about your systems, including summaries of system status, actions, and patch alerts.

[Note]

If you are new to the SUSE Manager Web interface, read Section 2.1, “Navigation” to familiarize yourself with the layout and symbols used throughout the interface.

Figure 2.4. Overview

Overview

This page is split into functional areas, with the most critical areas displayed first. Users can control which of the following areas are displayed by making selections on the Overview+Your Preferences page. Refer to Section 2.4, “Your Preferences” for more information.

  • The Tasks area lists the most common tasks an administrator performs via the web. Click any link to reach the page within SUSE Manager that allows you to accomplish that task.

  • If any systems have not been checking in to SUSE Manager, they are listed under Inactive System to the right. Highlighting them in this way allows an administrator to quickly select those systems for troubleshooting.

  • Critical Probes[Mon] — Customers with monitoring enabled on their SUSE Manager can also choose to include a list of all probes in the Critical state.

  • Warning Probes [Mon] — Customers with monitoring enabled on their SUSE Manager can also choose to include a list of all probes in the Warning state.

  • The Most Critical Systems section lists the most critical systems within your organization. It provides a link to quickly view those systems and displays a summary of the patch updates that have yet to be applied to those systems. Click the name of the system to see its System Details page and apply the patch updates. Below the list is a link to View All Critical Systems on one page.

  • The Recently Scheduled Actions section lists all actions less than thirty days old and their status: failed, completed, or pending. Click the label of any given action to view its details page. Below the list is a link to View All Scheduled Actions on one page, which lists all actions that have not yet been carried out on your client systems.

  • The Relevant Security Patches section lists all available security patches that have yet to be applied to some or all of your client systems. It is critical that you apply these security patches to keep your systems secure. Below this list find links to all patches (View All Patches) and to the patches that apply to your systems (View All Relevant Patches).

  • The System Group Names section lists groups you may have created and indicates whether the systems in those groups are fully updated. Click the link below this section to get to the System Groups page, where you can choose System Groups to use with the System Set Manager.

  • The Recently Registered Systems section lists the systems added to the SUSE Manager in the past 30 days. Click a system's name to see its System Details page. Click the link below this section to View All Recently Registered Systems on one page.

To return to this page, click Overview on the left navigation bar.

2.3. Your Account

On the Your Account page modify your personal information, such as name, password, and title. To modify any of this information, make the changes in the appropriate text fields and click the Update button in the bottom right-hand corner.

If you change your SUSE Manager password, for security reasons you will not see the new password while you enter it. Replace the asterisks in the Password and Confirm Password text fields with the new password.

[Note]

Should you forget your password or username, go to the login screen and click the About tab, then select the Lookup Login/Password page. Here you can either specify your login and email address or only your email address if you are not sure about the username. Then click on Send Password or Send Login respectively.

2.3.1. Addresses

On the Addresses page manage your mailing, billing and shipping addresses, and the associated phone numbers. Click Edit this address below the address to be modified, make the changes, and click Update.

2.3.2. Change Email

The email address listed in the Your Account page is the address to which SUSE Manager sends email notifications if you select to receive patch alerts or daily summaries for your systems on the Your Preferences page.

To change your preferred email address, click Change Email in the left navigation bar. Enter your new email address and click the Update button. A confirmation email is sent to the new email address; responding to the confirmation email validates the new email address. Invalid email addresses like those ending in @localhost are filtered and rejected.

2.3.3. Account Deactivation

View or enter external system or API credentials associated with your SUSE Manager account, for example your SUSE Studio credentials.

2.3.4. Account Deactivation

The Account Deactivation page provides a means to cancel your SUSE Manager service. To do so, click the Deactivate Account button. The Web interface returns you to the login screen. If you attempt to log back in, an error message advises you to contact the SUSE Manager administrator for your organization. Note that if you are the only SUSE Manager Administrator for your organization, you are unable to deactivate your account.

2.4. Your Preferences

The Your Preferences page allows you to configure SUSE Manager options, including:

  • Email Notifications — Determine whether you want to receive email every time a patch alert is applicable to one or more systems in your account.

    [Important]

    This setting also enables Management and Provisioning customers to receive a daily summary of system events. These include actions affecting packages, such as scheduled patches, system reboots, or failures to check in. In addition to selecting this check box, you must identify each system to be included in this summary email. By default, all Management and Provisioning systems are included in the summary. Add more systems either individually on the System Details page or for multiple systems at once in the System Set Manager interface. Note that SUSE Manager sends these summaries only to verified email addresses. To disable all messages, simply deselect this check box.

  • SUSE Manager List Page Size — Maximum number of items that appear in a list on a single page. If more items are in the list, clicking the Next button displays the next group of items. This preference applies to system lists, patch lists, package lists, and so on.

  • "Overview" Start Page — Select the information areas that are displayed on the Overview Start Page. Check the box to the left of the information area you would like to include.

  • CSV Files — Select the separator character to be used in downloadable CSV files. Comma is the default; as an alternative use Semicolon, which is more compatible with Microsoft Excel.

After making changes to any of these options, click the Save Preferences button.

2.5. Locale Preferences

On the Overview+Locale Preferences page set your SUSE Manager interface to your local time by selecting the appropriate Time Zone from the drop-down box, then click the Save Preferences button to apply the selection.

2.6. Subscription Management

To use all of the features of SUSE Manager, your systems must be entitled — subscribed to Novell Customer Center. Use the System Entitlements page to configure which systems are entitled to which service offerings.

2.7. Organization Trusts

The Organization Trusts page displays the trusts established with your organization (that is, the organization with which you, the logged-in user, are associated). The page also lists Channels Shared, which refers to channels available to your organization via others in the established trusts.

You can filter the list of trusts by keyword using the Filter by Organization text box and clicking Go.

For more information about organizational trusts, refer to Section “Organizational Trusts” (Chapter 5, Managing Multiple Organizations, ↑Reference Guide).

Chapter 3. Systems

If you click the Systems tab on the top navigation bar, the Systems category and links appear. Here you can select systems to perform actions on them and create system profiles.

3.1. Overview — [Mgmt]

The Overview page provides a summary of your systems, including their status, number of associated patches (errata) and packages, and their entitlement level. Clicking on the name of a system takes you to its System Details page. Refer to Section 3.2.14, “System Details” for more information.

Clicking View System Groups at the top of the Overview page takes you to a similar summary of your system groups. It identifies group status and displays the number of systems contained. Clicking on the number of systems takes you to the Systems tab of the System Group Details page, while clicking on the system name takes you to the Details tab for that system. Refer to Section 3.3.3, “System Group Details — [Mgmt]” for more information.

You can also click on Use in SSM in the System Groups section to go directly to the System Set Manager. Refer to Section 3.4, “System Set Manager — [Mgmt]” for more information.

3.2. Systems

The Systems page displays a list of all your registered systems. Several columns provide information for each system:

  • Select: Unentitled systems cannot be selected. To select systems, mark the appropriate check boxes. Selected systems are added to the System Set Manager, where actions can be carried out simultaneously on all systems in the set. Refer to Section 3.4, “System Set Manager — [Mgmt]” for details.

  • System: The name of the system specified during registration. The default name is the hostname of the system. Clicking on the name of a system displays its System Details page. Refer to Section 3.2.14, “System Details” for more information.

  • Updates: Shows which type of update action is applicable to the system or confirms that the system is up-to-date. Some icons are linked to related tasks. For instance, the standard Updates icon is linked to the Upgrade subtab of the packages list, while the Critical Updates icon links directly to the Update Confirmation page. The Not Checking In icon is linked to instructions for resolving the issue.

    • — System is up-to-date.

    • — Critical patch (errata) available, update strongly recommended.

    • — Updates available and recommended.

    • — System is locked; actions prohibited.

    • — System is being deployed using AutoYaST or Kickstart.

    • — Updates have been scheduled.

    • — System not checking in properly (for 24 hours or more).

    • — System not entitled to any update service.

  • Patches — Total number of patch alerts applicable to the system.

  • Packages: Total number of package updates for the system, including packages related to patch alerts as well as newer versions of packages not related to patch alerts. For example, if a client system that has an earlier version of a package installed gets subscribed to the appropriate base channel of SUSE Manager (such as SUSE Linux Enterprise 11 SP3), that channel may have an updated version of the package. If so, the package appears in the list of available package updates.

    [Important]

    If SUSE Manager identifies package updates for the system, but the package updater (such as Red Hat Update Agent or YaST) responds with a message like "Your system is fully updated", a conflict likely exists in the system's package profile or in the up2date configuration file. To resolve the conflict, either schedule a package list update or remove the packages from the package exceptions list. Refer to Section 3.2.14, “System Details” for instructions.

  • Configs: Total number of configuration files applicable to the system.

  • Base Channel: The primary channel for the system based on its operating system. Refer to Section 5.1, “Software Channels” for more information.

  • Entitlement: Shows whether or not the system is entitled and at what service level.

Links in the left navigation bar below Systems enable you to select and view predefined sets of your systems. All of the options described above can be applied within these pages.

3.2.1. All

The All page contains the default set of your systems. It displays every system you have permission to manage. You have permission if you are the only user in your organization, if you are a SUSE Manager Administrator, or if the system belongs to a group for which you have admin rights.

3.2.2. Virtual Systems

To reach this page, select the Systems tab, followed by the Systems subtab from the left navigation bar, and finally select Virtual Systems from the left navigation bar. This page lists each virtual host of which SUSE Manager is aware and the guest systems on those hosts.

System

This column displays the name of each guest system.

Updates

This column shows whether there are patches (errata updates) available for the guest systems that have not yet been applied.

Status

This column indicates whether a guest is running, paused, or stopped.

Base Channel

This column displays the base channel to which the guest is currently subscribed.

Only guests registered with SUSE Manager are displayed with blue text. Clicking on the hostname of such a guest system displays its System Details page.

3.2.3. Bare Metal

Here, all unprovisioned (bare-metal) systems are listed. For more information on bare-metal systems, see Section 12.5.7, “Admin > SUSE Manager Configuration > Bare-metal systems.

3.2.4. Out of Date

The Out of Date page displays all systems where applicable patch alerts have not been applied.

3.2.5. Requiring Reboot

Systems listed here need rebooting. Click on the name for details, where you can also schedule a reboot.

3.2.6. Non-compliant Systems

Non-compliant systems have packages installed which are not available from SUSE Manager. Packages shows how many installed packages are not available in the channels assigned to the system. A non-compliant system cannot be reinstalled.

3.2.7. Unentitled — [Mgmt]

The Unentitled page displays systems that have not yet been entitled for SUSE Manager service.

3.2.8. Ungrouped

The Ungrouped page displays systems not yet assigned to a specific system group.

3.2.9. Inactive

The Inactive page displays systems that have not checked in with SUSE Manager for 24 hours or more. Checking in means that the Red Hat Update Agent on Red Hat Enterprise Linux or the YaST Online Update on SUSE Linux Enterprise client systems connects to SUSE Manager to see if there are any updates available or if any actions have been scheduled. If you see a message telling you that check-ins are not taking place, the client system is not successfully connecting to SUSE Manager. The reason may be one of the following:

  • The system is not entitled to any SUSE Manager service. System profiles that remain unentitled for 180 days (6 months) are removed.

  • The system is entitled, but the SUSE Manager daemon (rhnsd) has been disabled on the system. Refer to Chapter 3, SUSE Manager Daemon (↑Reference Guide) for instructions on restarting and troubleshooting.

  • The system is behind a firewall that does not allow connections over https (port 443).

  • The system is behind an HTTP proxy server that has not been properly configured.

  • The system is connected to a SUSE Manager Proxy Server or SUSE Manager that has not been properly configured.

  • The system itself has not been properly configured, perhaps pointing at the wrong SUSE Manager Server.

  • The system is not in the network.

  • Some other barrier exists between the system and the SUSE Manager Server.

3.2.10. Recently Registered

The Recently Registered page displays any systems that have been registered in a given period. Use the drop-down menu to specify the period in days, weeks, 30- and 180-day increments, and years.

3.2.11. Proxy

The Proxy page displays the SUSE Manager Proxy Server systems registered with your SUSE Manager server.

3.2.12. Duplicate Systems

The Duplicate Systems page lists current systems and any active and inactive entitlements associated with them. Active entitlements are in gray, while inactive entitlements are highlighted in yellow and their check boxes checked by default for you to delete them as needed by clicking the Delete Selected button. Entitlements are inactive if the system has not checked in with SUSE Manager in a time specified via the drop-down list A system profile is inactive if its system has not checked in for:.

You can filter duplicate entitlements by IP Address, Hostname, or MAC address by clicking on the respective subtab. You may filter further by inactive time or typing the system's hostname, IP address, or MAC address in the corresponding Filter by: text box.

To compare up to three duplicate entitlements at one time, click the Compare Systems link in the Last Checked In column. Inactive components of the systems are highlighted in yellow. You can then determine which systems are inactive or duplicate and delete them by clicking the Delete System Profile button. Click the Confirm Deletion button to confirm your choice.

3.2.13. System Currency

The System Currency Report displays an overview of severity scores of patches relevant to the system. The weighting is defined via the System Details page. The default weight awards critical security patches with the heaviest weight and enhancements with the lowest. The report can be used to prioritize maintenance actions on the systems registered to SUSE Manager.

3.2.14. System Details

Once systems are registered to SUSE Manager, they are displayed on the Systems+Overview page. Here and on any other page, clicking the name takes you to the System Details page of the client, where all kinds of administrative tasks can be performed, including the removal of a system.

[Note]

The delete system link in the upper right of this screen refers to the system profile only. Deleting a host system profile will not destroy or remove the registration of guest systems. Deleting a guest system profile does not remove it from the list of guests for its host, nor does it stop or pause the guest. It does, however, remove your ability to manage it via SUSE Manager.

If you mistakenly deleted a system profile from SUSE Manager, you may re-register the system using the bootstrap script (see Chapter 5, Using Bootstrap (↑Client Configuration Guide)) or rhnreg_ks manually.

The Details page has numerous subtabs that provide specific system information as well as other identifiers unique to the system. The following sections discuss these tabs and their subtabs in detail.

3.2.14.1. System Details > Details

This page is not accessible from any of the standard navigation bars. However, clicking on the name of a system anywhere in the Web interface displays this page. By default the Details+Overview subtab is displayed. Other tabs are available, depending on the current entitlement level of the system.

3.2.14.1.1. System Details > Details > Overview

This system summary page displays the system status message and the following key information about the system:

System Status

This message indicates the current state of your system in relation to SUSE Manager.

[Note]

If updates are available for any entitled system, the message Software Updates Available appears, displaying the number of critical and non-critical updates as well as the sum of affected packages. To apply these updates, click on Packages and select some or all packages to update, then click Upgrade Packages.

System Info

Hostname

The hostname as defined by the client system.

IP Address

The IP address of the client.

IPv6 Address

The IPv6 address of the client.

Virtualization

If the client is a virtual machine, the type of virtualization is listed.

UUID

Displays the universally unique identifier.

Kernel

The kernel installed and operating on the client system.

SUSE Manager System ID

A unique identifier generated each time a system registers with SUSE Manager.

[Note]

The system ID can be used to eliminate duplicate profiles from SUSE Manager. Compare the system ID listed on this page with the information stored on the client system in the /etc/sysconfig/rhn/systemid file. In that file, the system's current ID is listed under system_id. The value starts after the characters ID-. If the value stored in the file does not match the value listed in the profile, the profile is not the most recent one and may be removed.

Activation Key

Displays the activation key used to register the system.

Installed Products

Lists the products installed on the system.

Lock Status

Indicates whether a system has been locked.

Actions cannot be scheduled for locked systems on the Web interface until the lock is removed manually. This does not include preventing automated patch updates scheduled via the Web interface. To prevent the application of automated patch updates, deselect Auto Patch Update from the System Details+Details+Properties subtab. For more information, refer to Section 3.2.14.1.2, “System Details > Details > Properties”.

Locking a system can prevent you from accidentally changing a system. For example, the system may be a production system that should not receive updates or new packages until you decide to unlock it.

[Important]

Locking a system in the Web interface will not prevent any actions that originate from the client system. For example, if a user logs into the client directly and runs YaST Online Update (on SLE) or pup (on RHEL), the update tool will install available patches whether or not the system is locked in the Web interface.

Locking a system does not restrict the number of users who can access the system via the Web interface. If you wish to restrict access to the system, associate that system with a System Group and assign a System Group Administrator to it. Refer to Section 3.3, “System Groups — [Mgmt]” for more information about System Groups.

It is also possible to lock multiple systems via the System Set Manager. Refer to Section 3.4.11.6, “System Set Manager > Misc > Lock/Unlock — [Mgmt]” for instructions.

Subscribed Channels

List of subscribed channels. Clicking on a channel name takes you to the Basic Channel Details page. To change subscriptions, click the (Alter Channel Subscriptions) link right beside the title to assign available base and child channels to this system. When finished making selections, click the Change Subscriptions button to change subscriptions and the base software channel. For more information, refer to Section 3.2.14.2.3, “System Details > Software > Software Channels ”.

Base Channel

The first line indicates the base channel to which this system is subscribed. The base channel should match the operating system of the client.

Child Channels

The subsequent lines of text, which depend on the base channel, list child channels. An example is the SUSE Manager Tools channel.

System Events

Checked In

The date and time at which the system last checked in with SUSE Manager.

Registered

The date and time at which the system registered with SUSE Manager and created this profile.

Last Booted

The date and time at which the system was last started or restarted.

[Note]

Systems with a Management entitlement can be rebooted from this screen.

  1. Select Schedule system reboot.

  2. Provide the earliest date and time at which the reboot may take place.

  3. Click the Schedule Reboot button in the lower right.

When the client checks in after the scheduled start time, SUSE Manager will instruct the system to restart itself.

[Prov] — OSA status is also displayed for client systems registered with SUSE Manager that have a Provisioning entitlement and have enabled OSA. For more information about OSA, refer to Section “Enabling Push to Clients” (Chapter 8, Maintenance, ↑Installation & Troubleshooting Guide).

Push enables SUSE Manager customers to immediately initiate tasks on Provisioning-entitled systems rather than wait for those systems to check in with SUSE Manager. Scheduling actions through push is identical to the process of scheduling any other action, except that the task can immediately be carried out instead of waiting the set interval for the system to check in.

In addition to the configuration of SUSE Manager, each client system to receive pushed actions must have the osad package installed and its service started. Refer to the Section “Enabling Push to Clients” (Chapter 8, Maintenance, ↑Installation & Troubleshooting Guide) for details.

System Properties

Entitlements

Lists entitlements currently applied to the system.

Notifications

Indicates the notification options for this system. You can choose whether you wish to receive email notifying you of available updates for this system. In addition, you may choose to include Management-entitled systems in the daily summary email.

Contact Method

Available methods: Pull, Push via SSH, and Push via SSH tunnel.

Auto Patch Update

Indicates whether this system is configured to accept updates automatically.

System Name

By default, the hostname of the client is displayed, but a different system name can be assigned.

Description

This information is automatically generated at registration. You can edit the description to include any information you wish.

Location

This field displays the physical address of the system if specified.

Clicking the Edit These Properties link right beside the System Properties title opens the System Details+Properties subtab. On this page, edit any text you choose, then click the Update Properties button to confirm.

3.2.14.1.2. System Details > Details > Properties

This subtab allows you to alter the following basic properties of your system:

System Details Properties

System Name

By default, this is the hostname of the system. You can however alter the profile name to anything that allows you to distinguish this system from others.

Base Entitlement

Select one of the available base entitlements.

Add-on entitlements

If available, apply a Monitoring, Provisioning or Virtualization Platform entitlement to the system.

Notifications

Select whether notifications about this system should be sent and whether to include this system in the daily summary. (By default, all Management and Provisioning systems are included in the summary.) This setting keeps you aware of all advisories pertaining to the system. Anytime an update is released for the system, you receive an email notification.

The daily summary reports system events that affect packages, such as scheduled patch updates, system reboots, or failures to check in. In addition to including the system here, you must choose to receive email notification in the Your Preferences page of the Overview category.

Contact Method

Select between Pull, Push via SSH, and Push via SSH tunnel.

Auto Patch Update

If this box is checked, available patches are automatically applied to the system when it checks in (Pull) or immediately if you select either Push option. This action takes place without user intervention. The SUSE Manager Daemon (rhnsd) must be enabled on the system for this feature to work.

[Note]Conflicts With Third Party Packages

Enabling auto-update might lead to failures because of conflicts between system updates and third party packages. To avoid failures caused by those issues, it is better to leave this box unchecked.

Description

By default, this text box records the operating system, release, and architecture of the system when it first registers. Edit this information to include anything you like.

The remaining fields record the physical address at which the system is stored. To confirm any changes to these fields, click the Update Properties button.

[Note]Setting Properties for Multiple Systems

Many of these properties can be set for multiple systems in one go via the System Set Manager interface. Refer to Section 3.4, “System Set Manager — [Mgmt]” for details.

3.2.14.1.3. System Details > Details > Remote Command — [Prov]

This subtab allows you to run a remote command on the system if the system has a Provisioning entitlement. Before doing so, you must first configure the system to accept such commands.

  1. On SLE clients, subscribe the system to the SUSE Manager Tools child channel and use zypper to install the rhncfg, rhncfg-client, and rhncfg-actions packages, if not already installed:

    zypper in rhncfg rhncfg-client rhncfg-actions
           

    On RHEL clients, subscribe the system to the Tools child channel and use up2date or yum to install the rhncfg, rhncfg-client, and rhncfg-actions packages, if not already installed:

    yum install rhncfg rhncfg-client rhncfg-actions
           
  2. Log into the system as root and add the following file to the local SUSE Manager configuration directory: allowed-actions/scripts/run.

    1. Create the necessary directory on the target system:

      mkdir -p /etc/sysconfig/rhn/allowed-actions/script
      
    2. Create an empty run file in that directory to act as a flag to SUSE Manager, signaling permission to allow remote commands:

      touch /etc/sysconfig/rhn/allowed-actions/script/run
      

Once the setup is complete, refresh the page in order to view the text fields for remote commands. Identify a specific user, group, and timeout period, as well as the script to run. Select a date and time to execute the command, then click Schedule Remote Command or add the remote command to an action chain. For further information on action chains, refer to Section 9.5, “Action Chains”.

3.2.14.1.4. System Details > Details > Reactivation — [Prov]

Reactivation keys, available only for systems that have a Provisioning entitlement, include this system's ID, history, groups, and channels. This key can then be used only once with the rhnreg_ks command line utility to re-register this system and regain all SUSE Manager settings. Unlike typical activation keys, which are not associated with a specific system ID, keys created here do not show up within the Activation Keys page.

Reactivation keys can be combined with activation keys to aggregate the settings of multiple keys for a single system profile. For example:

rhnreg_ks --server=server-url \
  --activationkey=reactivation-key,activationkey --force
[Warning]

When autoinstalling a system with its existing SUSE Manager profile, the profile uses the system-specific activation key created here to re-register the system and return its other SUSE Manager settings. For this reason, you should not regenerate, delete, or use this key (with rhnreg_ks) while a profile-based autoinstallation is in progress. If you do, the autoinstallation will fail.

3.2.14.1.5. System Details > Details > Hardware

This subtab provides detailed information about the system, including networking, BIOS, memory, and other devices but only if you included the hardware profile for this machine during registration. If the hardware profile looks incomplete or outdated, click the Schedule Hardware Refresh button. The next time the SUSE Manager Daemon (rhnsd) connects to SUSE Manager, it will update your system profile with the latest hardware information.

3.2.14.1.6. System Details > Details > Migrate

This subtab provides the option to migrate systems between organizations. Select an Organization Name and click Migrate System to initiate the migration.

3.2.14.1.7. System Details > Details > Notes

This subtab provides a place to create notes about the system. To add a new note, click the create new note link, type a subject and write your note, then click the Create button. To modify a note, click on its subject in the list of notes, make your changes, and click the Update button. To remove a note, click on its subject in the list of notes then click the delete note link.

3.2.14.1.8. System Details > Details > Custom Info — [Prov]

This subtab, available for systems with a Provisioning entitlement, provides completely customizable information about the system. Unlike Notes, Custom Info is structured, formalized, and can be searched. Before you can provide custom information about a system, you must have Custom Information Keys. Click on Custom System Info in the left navigation bar. Refer to Section 3.8, “Custom System Info — [Prov]” for instructions.

Once you have created one or more keys, you may assign values for this system by selecting the create new value link. Click the name of the key in the resulting list and enter a value for it in the Description field, then click the Update Key button.

3.2.14.1.9. System Details > Details > Proxy

This tab is only available for SUSE Manager Proxy systems and lists all clients registered with the selected SUSE Manager Proxy server.

3.2.14.2. System Details > Software

This tab and its subtabs allow you to manage the software on the system: patches (errata), packages and package profiles, software channel memberships, and service pack (SP) migrations.

3.2.14.2.1. System Details > Software > Patches

This subtab contains a list of patch (errata) alerts applicable to the system. Refer to Section 2.1.3, “Patch Alert Icons” for meanings of the icons on this tab. To apply updates, select them and click the Apply Patches button. Double-check the updates to be applied on the confirmation page, then click the Confirm button. The action is added to the Pending Actions list under Schedule. Patches that have been scheduled cannot be selected for update. Instead of a check box there is a clock icon. Click on the clock to see the Action Details page.

A Status column in the patches table shows whether an update has been scheduled. Possible values are: None, Pending, Picked Up, Completed, and Failed. This column displays only the latest action related to a patch. For instance, if an action fails and you reschedule it, this column shows the status of the patch as Pending with no mention of the previous failure. Clicking a status other than None takes you to the Action Details page. This column corresponds to the one on the Affected Systems tab of the Patch Details page.

3.2.14.2.2. System Details > Software > Packages

Manage the software packages on the system. Most of the following actions can also be performed via action chains. For further information on action chains, refer to Section 9.5, “Action Chains”.

[Warning]

When new packages or updates are installed on the client via SUSE Manager, any licenses (EULAs) requiring agreement before installation are automatically accepted.

Packages

The default display of the Packages tab describes the options available and provides the means to update your package list. To update or complete a potentially outdated list, possibly due to the manual installation of packages, click the Update Package List button in the bottom right-hand corner of this page. The next time the SUSE Manager Daemon (rhnsd) connects to SUSE Manager, it updates your system profile with the latest list of installed packages.

List/Remove

Lists installed packages and enables you to remove them. View and sort packages by name, architecture, and the date they were installed on the system. Search for the desired packages by typing its name in the Filter by Package Name text box, or by clicking the letter or number corresponding to the first character of the package name. Click on a package name to view its Package Details page. To delete packages from the system, select their check boxes and click the Remove Packages button on the bottom right-hand corner of the page. A confirmation page appears with the packages listed. Click the Confirm button to remove the packages.

Upgrade

Displays a list of packages with newer versions available in the subscribed channels. Click on the latest package name to view its Package Details page. To upgrade packages immediately, select them and click the Upgrade Packages button. Any EULAs will be accepted automatically. To download the packages as a .tar file, select them and click the Download Packages button.

Install

Install new packages on the system from the available channels. Click on the package name to view its Package Details page. To install packages, select them and click the Install Selected Packages button. EULAs are automatically accepted.

Verify

Validates the packages installed on the system against its RPM database. This is the equivalent of running rpm -V. The metadata of the system's packages are compared with information from the database, such as file checksum, file size, permissions, owner, group and type. To verify a package or packages, select them, click the Verify Selected Packages button, and confirm. When the check is finished, select this action in the History subtab under Events to see the results.

Lock

Locking a package prevents modifications like removal or update of the package. Since locking and unlocking happens via scheduling requests, locking might take effect with some delay. If an update happens before then, the lock will have no effect. Select the packages you want to lock. If locking should happen later, select the date and time above the Request Lock button, then click on it. A small lock icon marks locked packages. To unlock, select the package and click Request Unlock, optionally specifying the date and time for unlocking to take effect.

[Note]

This feature only works if Zypper is used as package manager. On the target machine the zypp-plugin-spacewalk package, version 0.96 or higher, must be installed.

Profiles

Compare installed packages with the package lists in stored profiles and other Management and Provisioning systems. Select a stored profile from the drop-down menu and click the Compare button. To compare with packages installed on a different system, select the system from the associated drop-down menu and click the Compare button. To create a stored profile based on the existing system, click the Create System Profile button, enter any additional information you desire, and click the Create Profile button. These profiles are kept within the Stored Profiles page linked from the left navigation bar.

[Prov] — Once installed packages have been compared with a profile, Provisioning customers have the option to synchronize the selected system with the profile. Note that all changes apply to the system not the profile. Packages might get deleted and additional packages installed on the system. To install only specific packages, click the respective check boxes in the profile. To remove specific packages installed on the system, select the check boxes of these packages showing a difference of This system only. To completely synchronize the system's packages with the compared profile, select the master check box at the top of the column. Then click the Sync Packages to button. On the confirmation screen, review the changes, select a time frame for the action, and click the Schedule Sync button.

3.2.14.2.3. System Details > Software > Software Channels

Software channels provide a well-defined method to determine which packages should be available to a system for installation or upgrade based on its operating systems, installed packages, and functionality. Click a channel name to view its Channel Details page. To modify the child channels associated with this system, use the check boxes next to the channels and click the Change Subscriptions button. You will receive a success message or be notified of any errors. To change the system's base channel, select the new one from the drop-down menu and click the Modify Base Channel button. Refer to Section 5.1, “Software Channels” for more information.

3.2.14.2.4. System Details > Software > SP Migration — [Mgmt]

Service Pack Migration (SP Migration) means upgrading a system from one service pack level to next level.

[Warning]

During migration SUSE Manager automatically accepts any required licenses (EULAs) before installation.

SUSE only supports one step at a time, this means it is not be possible to migrate from e.g., SP1 to SP3. Supported migration paths include:

  • SLES 11 SP1 → SLES 11 SP2 → SLES 11 SP3

  • SLE 10 SP2 → SLE 10 SP3 → SLE 10 SP4

  • SUSE Manager Proxy 1.2 → SUSE Manager Proxy 1.7

[Warning]Rollback Not Possible

The migration feature does not cover any rollback functionality. Once the migration procedure is started, rolling back is not possible. Therefore it is recommended to have a working system backup available for an emergency.

For more information, see Chapter 6, Service Pack Migration (↑Client Configuration Guide) and Section “Migrating SUSE Manager Proxy 1.7 to SUSE Manager Proxy 2.1” (↑Proxy Quick Start).

3.2.14.2.5. System Details > Software > Software Crashes — [Mgmt]

Red Hat clients can be configured to report software failures to SUSE Manager via the Automatic Bug Reporting Tool (ABRT) to extend the overall reporting functionality of your systems. This functionality is not supported on SUSE Linux Enterprise systems. If configured appropriately, Red Hat clients automatically report software failures captured by ABRT and process the captured failures in a centralized fashion on SUSE Manager. You can use either the Web interface or the API to process these failure reports. For information about setting up the tools for ABRT on Red Hat client systems, see the Client Configuration Guide Section “Reporting Software Failures” (Chapter 2, Red Hat Linux Client Applications, ↑Client Configuration Guide).

The following procedure shows how to view software reports for a single Red Hat client system with ABRT tools installed.

Procedure 3.1. Software Failures on a Single Client

  1. On the Systems page, select the Red Hat system, click on its name, then Software+Software Crashes to see the list of software failures that occurred on the registered system.

  2. Click the required failure to see its details and the files captured for this software failure report.

Software failures can be grouped across all Red Hat systems by Crash UUID. This helps with identifying similar software crashes.

Procedure 3.2. Grouped Software Failures

  1. Click the Systems tab, then select Software Crashes from the left navigation bar.

  2. Click the on a Crash UUID to see the systems affected by the software failure.

  3. Click on a specific system to see details and the files captured for the individual software failure report.

To download software failure reports, click on Download CSV.

With every software failure, clients upload the files captured by ABRT during the failure to your SUSE Manager. Because these files may be of arbitrary length, you can configure an organization-wide size limit for the upload of a single crash file.

Procedure 3.3. Changing Organization Settings

  1. On the Admin page, click on the organization name, then select Configuration.

  2. Modify the desired upload size settings, then click Update Organization to save.

The organization-wide settings for individual crash files are now changed to the chosen values.

3.2.14.3. System Details > Configuration — [Prov]

This tab and its subtabs, which do not appear without a Provisioning entitlement, assist in managing the configuration files associated with the system. These configuration files may be managed solely for the current system or distributed widely via a Configuration Channel. The following sections describe these and other available options on the System Details+Configuration subtabs.

[Note]

To manage the configuration of a system, it must have the latest rhncfg* packages installed. Refer to Section 8.1, “Preparing Systems for Config Management” for instructions on enabling and disabling scheduled actions for a system.

This section is available to normal users with access to systems that have configuration management enabled. Like software channels, configuration channels store files to be installed on systems. While software updates are provided by NCC, configuration files are managed solely by you. Also unlike with software packages, various versions of configuration files may prove useful to a system at any given time. Only the latest version can be deployed.

3.2.14.3.1. System Details > Configuration > Overview

This subtab provides access to the configuration files of your system and to the most common tasks used to manage configuration files. In the Configuration Overview, click on the blue links to add files, directories or symlinks. Here you also find shortcuts to perform any of the common configuration management tasks listed on the right of the screen by clicking one of the links under Configuration Actions.

3.2.14.3.2. System Details > Configuration > View/Modify Files

This subtab lists all configuration files currently associated with the system. These are sorted via subtabs in centrally and locally managed files and a local sandbox for files under development.

Centrally-Managed Files

Centrally-managed configuration files are provided by global configuration channels. Determine which channel provides which file by examining the Provided By column below. Some of these centrally-managed files may be overridden by locally-managed files. Check the "Overridden By" column to find out if any files are overridden.

Locally-Managed Files

Locally-managed configuration files are useful for overriding centrally-managed configuration profiles that cause problems on particular systems. Also, locally-managed configuration files are a method by which system group administrators who don't have configuration administration privileges can manage configuration files on the machines they are able to manage.

Local Sandbox

In the sandbox you can store configuration files under development. You can promote files from the sandbox to a centrally-managed configuration channel using Copy Latest to Central Channel. After files in this sandbox have been promoted to a centrally-managed configuration channel, you will be able to deploy them to other systems.

3.2.14.3.3. System Details > Configuration > Add Files

To upload, import or create new configuration files, click on Add Files.

Upload File

To upload a configuration file from your local machine, browse for the upload file, specify whether it is a text or binary file, enter Filename/Path as well as user and group ownership. Specific file permissions can be set. When done, click Upload Configuration File.

Import Files

Via the Import Files tab, you can add files from the system you have selected before and add it to the sandbox of this system. Files will be imported the next time rhn_check runs on the system. To deploy these files or override configuration files in global channels, copy this file into your local override channel after the import has occurred.

In the text field under Import New Files enter the full path of any files you want import into SUSE Manager or select deployable configuration files from the Import Existing Files list. When done, click Import Configuration Files.

Create File

Under Create File, you can directly create the config file from scratch. Select the file type, specify the path and filename, where to store the file, plus the symbolic link target filename and path. Ownership and permissions as well as macro delimiters need to be set. For more information on using macros, see Section 8.4.3, “Including Macros in your Configuration Files”. In the File Contents text field, type the configuration file. Select the type of file you are creating from the drop-down menu. Possible choices are Bash, Perl, Php, Python, Ruby and XML. When done, click Create Configuration File

3.2.14.3.4. System Details > Configuration > Deploy Files

Under Deploy Files you find all files that can be deployed on the selected system. Files from configuration channels with a higher priority take precedence over files from configuration channels with a lower priority. If you want to deploy any of these files to the client system and overwrite changes that have been made locally, check the box to the left of the file and click the Deploy Configuration button. On the following screen, choose a deployment time and click the Schedule Deploy button to confirm.

[Note]

If you click on the Filename of a (system override) file, you can edit its contents.

The Overrides column identifies the configuration file in an unsubscribed channel that would replace the same file in a currently subscribed channel. For example, if a system has /etc/foo from channel bar and /etc/foo from channel baz is in the Overrides column, then unsubscribing from channel bar will mean that the file from channel baz will be applicable. If no file is listed in the Overrides column for a given file path, then unsubscribing from the channel providing the file will mean that the file is no longer managed (though it will not be removed from the system).

3.2.14.3.5. System Details > Configuration > Compare Files

This subtab compares a configuration file stored on the SUSE Manager with the file stored on the client. (It does not compare versions of the same file stored in different channels.) Select the files to be compared, click the Compare Files button, select a time to perform the diff, and click the Schedule Compare button to confirm. After the diff has been performed, return to this page to see the results.

3.2.14.3.6.  System Details > Configuration > Manage Configuration Channels

This subtab allows you to subscribe to and rank configuration channels associated with the system, lowest first.

The List/Unsubscribe from Channels subtab contains a list of the system's configuration channel subscriptions. Click the check box next to the Channel and click Unsubscribe to remove the subscription to the channel.

The Subscribe to Channels subtab lists all available configuration channels. To subscribe to a channel, select the check box next to it and press Continue. To subscribe to all configuration channels, click Select All and press Continue. The View/Modify Rankings page automatically loads.

The View/Modify Rankings subtab allows users to set the priority with which files from a particular configuration channel are ranked. The higher the channel is on the list, the more its files take precedence over files on lower-ranked channels. For example, the higher-ranked channel may have an httpd.conf file that will take precedence over the same file in a lower-ranked channel.

3.2.14.3.7. System Details > Configuration > Local Overrides

This subtab displays the default configuration files for the system and allows you to manage them. If no files exist, use the add files, upload files, and add directories links within the page description to associate files with this system. These tabs correspond to those on the Configuration Channel Details page affecting your entire organization and available only to Configuration Administrators. Refer to Section 8.3.1, “Configuration > Configuration Channels > Configuration Channel Details for more information.

If a file exists, click its name to go to the Configuration File Details page. Refer to Section 8.4, “Configuration Files” for instructions. To replicate the file within a config channel, select its check box, click the Copy to Config Channel button, and select the destination channel. To remove a file, select it and click Delete Selected Files.

3.2.14.4. System Details > Provisioning — [Prov]

The Provisioning tab and its subtabs allow you to schedule and monitor AutoYaST or Kickstart installations and to restore a system to its previous state. AutoYaST is a SUSE Linux and Kickstart is a Red Hat utility—both allow you to automate the reinstallation of a system. Snapshot rollbacks provide the ability to revert certain changes on the system. You can roll back a set of RPM packages, but rolling back across multiple update levels is not supported. Both features are described in the sections that follow.

3.2.14.4.1.  System Details > Provisioning > Autoinstallation — [Prov]

This subtab is further divided into Session Status, which tracks the progress of previously scheduled autoinstallations, and Schedule, which allows you to configure and schedule an autoinstallation for this system.

In the Schedule subtab, schedule the selected system for autoinstallation. Choose from the list of available profiles.

[Note]

You must first create a profile before it appears on this subtab. If you have not created any profiles, refer to Section 3.9.4, “Create a New Kickstart Profile” before scheduling an autoinstallation for a system.

To alter autoinstallation settings, click on the Advanced Configuration button. Configure the network connection and post-installation networking information. You can aggregate multiple network interfaces into a single logical "bonded" interface. In Kernel Options specify kernel options to be used during autoinstallation. Post Kernel Options are used after the installation is complete and the system is booting for the first time. Configure package profile synchronization.

Select a time for the autoinstallation to begin and click Schedule Autoinstall and Finish for all changes to take effect and to schedule the autoinstallation.

Alternatively, click Create PXE Installation Configuration to create a Cobbler system record. The selected autoinstallation profile will be used to automatically install the configured distribution next time that particular system boots from PXE. In this case SUSE Manager and its network must be properly configured to allow PXE booting.

[Note]

Any settings changed on the Advanced Configuration page will be ignored when creating a PXE installation configuration for Cobbler.

The Variables subtab can be used to create Kickstart variables, which substitute values in Kickstart files. To define a variable, create a name-value pair (name/value) in the text box.

For example, if you want to Kickstart a system that joins the network of a specific organization (for instance the Engineering department) you can create a profile variable to set the IP address and the gateway server address to a variable that any system using that profile will use. Add the following line to the Variables text box:

IPADDR=192.168.0.28
GATEWAY=192.168.0.1

To use the system variable, use the name of the variable in the profile instead of the value. For example, the network portion of a Kickstart file could look like the following:

network --bootproto=static --device=eth0 --onboot=on --ip=$IPADDR \
  --gateway=$GATEWAY

The $IPADDR will be 192.168.0.28, and the $GATEWAY will be 192.168.0.1.

[Note]

There is a hierarchy when creating and using variables in Kickstart files. System Kickstart variables take precedence over profile variables, which in turn take precedence over distribution variables. Understanding this hierarchy can alleviate confusion when using variables in Kickstarts.

Using variables are just one part of the larger Cobbler infrastructure for creating templates that can be shared between multiple profiles and systems. For more information about Cobbler and Kickstart templates, refer to Chapter 7, Cobbler (↑Reference Guide).

3.2.14.4.2.  System Details > Provisioning > Power Management — [Prov]

SUSE Manager allows you to power on, off, and reboot systems (either physical or bare-metal) via the IPMI protocol if the systems are IPMI-enabled. You need a fully patched SUSE Manager 2.1 installation. To use any power management functionality, IPMI configuration details must be added to SUSE Manager. First select the target system on the systems list, then selectProvisioning+Power Management. On the displayed configuration page, edit all required fields (marked with a red asterisk) and click Save.

Systems can be powered on, off, or rebooted from the configuration page via corresponding buttons. Note that any configuration change is also saved in the process. The Save and Get Status button can also be used to query for the system's power state. If configuration details are correct, a row is displayed with the current power status ("on" or "off"). If a power management operation succeeds on a system, it will also be noted in its Event History tab.

Power management functionalities can also be used from the system set manager to operate on multiple systems at the same time. Specifically, you can change power management configuration parameters or apply operations (power on, off, reboot) to multiple systems at once. In order to do that, add respective systems to the system set manager as described in Section 3.4, “System Set Manager — [Mgmt]”.

Then click on Manage+ Provisioning+Power Management Configuration to change one or more configuration parameters for all systems in the set. Note that any field left blank will not alter the configuration parameter in selected systems.

Once all configuration parameters are set correctly, click on Manage+Provisioning+Power Management Operations to power on, off or reboot systems from the set. Note that the Provisioning entitlement is required for non-bare metal systems.

To check that a power operation was executed correctly, click on System Set Manager+Status on the left-hand menu, then click on the proper line in the list. This will display a new list with systems to which the operation was applied. In the event of errors which prevent correct execution, a brief message with an explanation will be displayed in the Note column.

This feature uses Cobbler power management, thus a Cobbler system record is automatically created at first use if it does not exist already. In that case, the automatically created system record will not be bootable from the network and will reference a dummy image. This is needed because Cobbler does not currently support system records without profiles or images. The current implementation of Cobbler power management uses the fence-agent tools to support multiple protocols besides IPMI. Those are not supported by SUSE Manager but can be used by adding the fence agent names as a comma-separated list to the java.power_management.types configuration parameter.

3.2.14.4.3.  System Details > Provisioning > Snapshots — [Prov]

Snapshots enable you to roll back the system's package profile, configuration files, and SUSE Manager settings. Snapshots are always captured automatically after an action takes place on a Provisioning-entitled system. The Snapshots subtab lists all snapshots for the system, including the reason why the snapshot was taken, the time it was taken, and the number of tags applied to each snapshot.

[Note]Technical Details
  • A snapshots is always done after a successful operation and not before, as you might expect. One consequence of the fact that snapshots are taken after the action is that, if you want to undo action number X, then you must roll back to the snapshot number X-1.

  • It is possible to disable snapshotting globally (in rhn.conf set enable_snapshots = 0), but it is enabled by default. No further fine tuning is possible.

To revert to a previous configuration, click the Reason for the snapshot and review the potential changes on the provided subtabs, starting with Rollback.

[Important]Unsupported Rollback Scenarios

Snapshot roll backs support the ability to revert certain changes to the system, but not in every scenario. For example, you can roll back a set of RPM packages, but rolling back across multiple update levels is not supported.

Rolling back an SP migration is also not supported.

Each subtab provides the specific changes that will be made to the system during the rollback:

  • group memberships,

  • channel subscriptions,

  • installed packages,

  • configuration channel subscriptions,

  • configuration files,

  • snapshot tags.

When satisfied with the reversion, return to the Rollback subtab and click the Rollback to Snapshot button. To see the list again, click Return to snapshot list.

Background Information About Snapshots

  • There is no maximum number of snapshots that SUSE Manager will keep, thus related database tables will grow with system count, package count, channel count, and the number of configuration changes over time. Installations with more than a thousand systems should consider setting up a recurring cleanup script via the API or disabling this feature altogether.

  • There is currently no integrated support for rotated snapshots.

3.2.14.4.4. System Details > Provisioning > Snapshot Tags — [Prov]

Snapshot tags provide a means to add meaningful descriptions to your most recent system snapshot. This can be used to indicate milestones, such as a known working configuration or a successful upgrade. To tag the most recent snapshot, click create new system tag, enter a descriptive term in the Tag name field, and click the Tag Current Snapshot button. You may then revert using this tag directly by clicking its name in the Snapshot Tags list. To delete tags, select their check boxes, click Remove Tags, and confirm the action.

3.2.14.5. System Details > Monitoring — [Mon]

This tab is only visible for systems registered with SUSE Manager that are Monitoring enabled and entitled. All probes monitoring the system are listed here. The State column shows icons representing the status of each probe. Refer to Chapter 11, Monitoring — [Mon] for descriptions of these states. Clicking the Probe Description takes you to its Current State page. The Status String column displays the last message received from the probe.

To add a probe to the system, click the create new probe link at the top-right corner and fill in the fields on the following page. Refer to Section “Managing Probes” (Chapter 4, Monitoring, ↑Reference Guide) for detailed instructions.

Once the probe has been added, you must reconfigure your Monitoring infrastructure to recognize it. Refer to Section 11.2, “Scout Config Push — [Mon]” for details. After the probe has run, its results become available on the Current State page. Refer to Section 11.1.7, “Current State — [Mon]” for details.

To remove a probe from a system, click on the name of the probe, then click the delete probe link in the upper right corner. Confirm by clicking the Delete Probe button to complete the process.

3.2.14.6. System Details > Groups — [Mgmt]

The Groups tab and its subtabs allow you to manage the system's group memberships.

3.2.14.6.1. System Details > Groups > List/Leave — [Mgmt]

This subtab lists groups to which the system belongs and enables you to cancel membership. Only System Group Administrators and SUSE Manager Administrators can remove systems from groups. Non-admins just see a Review this system's group membership page. To remove the system from one or more groups, select the respective check boxes of these groups and click the Leave Selected Groups button. To see the System Group Detailspage, click on the group's name. Refer to Section 3.3.3, “System Group Details — [Mgmt]” for more information.

3.2.14.6.2. System Details > Groups > Join — [Mgmt]

Lists groups that the system can be subscribed to. Only System Group Administrators and SUSE Manager Administrators can add a system to groups. Non-admins see a Review this system's group membership page. To add the system to groups, select the groups' check boxes and click the Join Selected Groups button.

3.2.14.7. System Details > Audit

Via the Audit tab, view OpenSCAP scan results or schedule scans. For more information on auditing and OpenSCAP, refer to Chapter 6, Audit.

3.2.14.8. System Details > Events

Displays past, current, and scheduled actions on the system. You may cancel pending events here. The following sections describe the Events subtabs and the features they offer.

3.2.14.8.1. System Details > Events > Pending

Lists events that are scheduled but have not started. A prerequisite action must complete successfully before the given action is attempted. If an action has a prerequisite, no check box is available to cancel that action. Instead, a check box appears next to the prerequisite action; canceling the prerequisite action causes the action in question to fail.

Actions can be chained so that action 'a' requires action 'b' which requires action 'c'. Action 'c' is performed first and has a check box next to it until it is completed successfully. If any action in the chain fails, the remaining actions also fail. To unschedule a pending event, select the event and click the Cancel Events button at the bottom of the page. The following icons indicate the type of events:

  • — Package Event,

  • — Patch Event,

  • — Preferences Event,

  • — System Event.

3.2.14.8.2. System Details > Events > History

The default display of the Events tab lists the type and status of events that have failed, occurred or are occurring. To view details of an event, click its summary in the System History list. To the table again, click Return to history list at the bottom of the page.

3.3. System Groups — [Mgmt]

The System Groups page allows all SUSE Manager Management and Provisioning users to view the System Groups list. Only System Group Administrators and SUSE Manager Administrators may perform the following additional tasks:

  1. Create system groups. (Refer to Section 3.3.1, “Creating Groups”.)

  2. Add systems to system groups. (Refer to Section 3.3.2, “Adding and Removing Systems in Groups”.)

  3. Remove systems from system groups. (Refer to Section 3.2.14, “System Details”.)

  4. Assign system group permissions to users. (Refer to Chapter 10, Users — [Mgmt].)

The System Groups list displays all system groups. The list contains several columns for each group:

  • Select — Via the check boxes add all systems in the selected groups to the System Set Manager by clicking the Update button. All systems in the selected groups are added to the System Set Manager. You can then use the System Set Manager to perform actions on them simultaneously. It is possible to select only those systems that are members of all of the selected groups, excluding those systems that belong only to one or some of the selected groups. To do so, select the relevant groups and click the Work with Intersection button. To add all systems of all selected groups, click the Work with Union button. Each system will show up once, regardless of the number of groups to which it belongs. Refer to Section 3.4, “System Set Manager — [Mgmt]” for details.

  • Updates — Shows which type of patch alerts are applicable to the group or confirms that all systems are up-to-date. Clicking on a group's status icon takes you to the Patch tab of its System Group Details page. Refer to Section 3.3.3, “System Group Details — [Mgmt]” for more information.

    The status icons call for differing degrees of attention:

    • — All systems in the group are up-to-date.

    • — Critical patches available, update strongly recommended.

    • — Updates available and recommended.

  • Health - Status of the systems in the group, reported by probes.

  • Group Name — The name of the group as configured during its creation. The name should be explicit enough to distinguish from other groups. Clicking on the name of a group takes you to the Details tab of its System Group Details page. Refer to Section 3.3.3, “System Group Details — [Mgmt]” for more information.

  • Systems — Total number of systems in the group. Clicking on the number takes you to the Systems tab of the System Group Details page for the group. Refer to Section 3.3.3, “System Group Details — [Mgmt]” for more information.

  • Use in SSM — Clicking the Use in SSM link in this column loads all and only the systems in the selected group and launches the System Set Manager immediately. Refer to Section 3.4, “System Set Manager — [Mgmt]” for more information.

3.3.1. Creating Groups

To add a new system group, click the create new group link at the top-right corner of the page. Type a name and description and click the Create Group button. Make sure you use a name that clearly sets this group apart from others. The new group will appear in the System Groups list.

3.3.2. Adding and Removing Systems in Groups

Systems can be added and removed from system groups. Clicking on the group name takes you to the Details page. The Systems tab shows all systems in the group and allows you to select some or all systems for deletion. Click on Remove Systems to remove the selected systems from the group. The Target Systems page shows you all systems that can be added to the group. Select the systems and click the Add Systems button.

3.3.3. System Group Details — [Mgmt]

At the top of each System Group Details page are two links: work with group and delete group. Clicking delete group deletes the System Group and should be used with caution. Clicking Work with Group loads the group's systems and launches the System Set Manager immediately just like the Use Group button from the System Groups list. Refer to Section 3.4, “System Set Manager — [Mgmt]” for more information.

The System Group Details page is split into the following tabs:

3.3.3.1. System Group Details > Details — [Mgmt]

Provides the group name and group description. To change this information, click Edit Group Properties, make your changes in the appropriate fields, and click the Modify Details button.

3.3.3.2. System Group Details > Systems — [Mgmt]

Lists all members of the system group. Clicking links within the table takes you to corresponding tabs within the System Details page for the associated system. To remove systems from the group, select the appropriate check boxes and click the Remove from group button on the bottom of the page. Clicking it does not delete systems from SUSE Manager entirely. This is done through the System Set Manager or System Details pages. Refer to Section 3.4, “System Set Manager — [Mgmt]” or Section 3.2.14, “System Details”, respectively.

3.3.3.3. System Group Details > Target Systems — [Mgmt]

Target Systems — Lists all systems in your organization. To add systems to the specified system group, click the check boxes to their left and click the Add Systems button on the bottom right-hand corner of the page.

3.3.3.4. System Group Details > Patches — [Mgmt]

List of relevant patches for systems in the system group. Clicking the advisory takes you to the Details tab of the Patch Details page. (Refer to Section 4.2.2, “Patch Details” for more information.) Clicking the Affected Systems number lists all of the systems affected by the patch. To apply the patch updates in this list, select the systems and click the Apply Patches button.

3.3.3.5. System Group Details > Admins — [Mgmt]

List of all organization users that have permission to manage the system group. SUSE Manager Administrators are clearly identified. System Group Administrators are marked with an asterisk (*). To change the system group's users, select and deselect the appropriate check boxes and click the Update button.

3.3.3.6. System Group Details > Probes — [Prov]

List of all probes assigned to systems in the system group. State shows the status of the probe. Click the individual System for details on the probe and to make changes to the probe configuration. Click Probe to generate a customizable report on the monitoring.

3.4. System Set Manager — [Mgmt]

The following actions performed for individual systems through the System Details page may be performed for multiple systems via the System Set Manager:

  • Apply patch updates.

  • Upgrade packages to the most recent versions available.

  • Add systems to or remove them from system groups.

  • Subscribe/unsubscribe systems to/from channels.

  • Update system profiles.

  • Modify system preferences such as scheduled download and installation of packages.

  • Autoinstall several Provisioning-entitled systems at once.

  • Set the subscription and rank of configuration channels for Provisioning-entitled systems.

  • Tag the most recent snapshots of your selected Provisioning-entitled systems.

  • Revert Provisioning-entitled systems to previous snapshots.

  • Run remote commands on Provisioning-entitled systems.

Before performing actions on multiple systems, select the systems you wish to modify. To do so, click the List the systems link, check the boxes to the left of the systems you wish to select, and click the Update List button.

You can access the System Set Manager in three different ways:

  1. Click the System Set Manager link in the left navigation area.

  2. Click the Use Group button in the System Groups list.

  3. Check the Work with Group link on the System Group Details page.

3.4.1. System Set Manager > Overview — [Mgmt]

Description of the various options available to you in the remaining tabs.

3.4.2. System Set Manager > Systems — [Mgmt]

List of selected systems. To remove systems from this set, select them and click the Remove button.

3.4.3. System Set Manager > Patches — [Mgmt]

List of patch updates applicable to the current system set. Click the number in the Systems column to see to which systems in the System Set Manager a patch applies. To apply updates, select the patches and click the Apply Patches button.

3.4.4. System Set Manager > Packages — [Mgmt]

Click the number in the Systems column to see the systems in the System Set Manager to which a package applies. Modify packages on the system via the following subtabs:

3.4.4.1. System Set Manager > Packages > Upgrade — [Mgmt]

A list of all the packages installed on the selected systems that might be upgraded. Systems must be subscribed to a channel providing the packages to be upgraded. If multiple versions of a package are available, note that your system will be upgraded to the latest version. Select the packages to be upgraded, then click the Upgrade Packages button.

3.4.4.2. System Set Manager > Packages > Install — [Mgmt]

This list includes all channels to which systems in the set are subscribed. A package is only installed on a system if the system is subscribed to the channel providing the package. Click on the channel name and select the packages from the list. Then click the Install Packages button.

3.4.4.3. System Set Manager > Packages > Remove — [Mgmt]

A list of all the packages installed on the selected systems that might be removed. Multiple versions appear if systems in the System Set Manager have more than one version installed. Select the packages to be deleted, then click the Remove Packages button.

3.4.5. System Set Manager > Verify — [Mgmt]

A list of all installed packages whose contents, file checksum, and other details may be verified. At the next check in, the verify event issues the command rpm --verify for the specified package. If there are any discrepancies, they are displayed in the System Details page for each system.

Select the check box next to all packages to be verified, then click the Verify Packages button. On the next page, select a date and time for the verification, then click the Schedule Verifications button.

3.4.6. System Set Manager > Groups — [Mgmt]

Tools to create groups and manage membership. These functions are limited to SUSE Manager Administrators and System Group Administrators. To add a new group, click create new group on the top-right corner. In the next page, type the group name and description in the respective fields and click the Create Group button. To add or remove selected systems in any of the system groups, toggle the appropriate radio buttons and click the Alter Membership button.

3.4.7. System Set Manager > Channels — [Mgmt]

Manage channel associations through the following subtabs:

3.4.7.1. System Set Manager > Channels > Channel Subscriptions — [Mgmt]

To subscribe or unsubscribe selected systems to any of the channels, toggle the appropriate check boxes and click the Alter Subscriptions button. Keep in mind that subscribing to a channel uses a channel entitlement for each system in the selected group. If too few entitlements are available, some systems fail to subscribe. Systems must subscribe to a base channel before subscribing to a child channel.

3.4.8. System Set Manager > Configuration — [Prov]

Like in the System Details+Channels+Configuration tab, the subtabs here can be used to subscribe the selected systems to configuration channels and deploy and compare the configuration files on the systems. The channels are created in the Manage Config Channels interface within the Channels category. Refer to Section 8.2, “Overview” for channel creation instructions.

To manage the configuration of a system, install the latest rhncfg* packages. Refer to Section 8.1, “Preparing Systems for Config Management” for instructions on enabling and disabling scheduled actions for a system.

3.4.8.1. System Set Manager > Configuration > Deploy Files — [Prov]

Use this subtab to distribute configuration files from your central repository on SUSE Manager to each of the selected systems. The table lists the configuration files associated with any of the selected systems. Clicking its system count displays the systems already subscribed to the file.

To subscribe the selected systems to the available configuration files, select the check box for each desired file. When done, click Deploy Configuration and schedule the action. Note that the latest versions of the files, at the time of scheduling, are deployed. Newer versions created after scheduling are disregarded.

3.4.8.2. System Set Manager > Configuration > Compare Files — [Prov]

Use this subtab to validate configuration files on the selected systems against copies in your central repository on SUSE Manager. The table lists the configuration files associated with any of the selected systems. Clicking a file's system count displays the systems already subscribed to the file.

To compare the configuration files deployed on the systems with those in SUSE Manager, select the check box for each file to be validated. Then click Analyze Differences and schedule the action. The comparisons for each system will not complete until each system checks in to SUSE Manager. Once each comparison is complete, any differences between the files will be accessible from each system's events page.

Note that the latest versions of the files, at the time of scheduling, are compared. Newer versions created after scheduling are disregarded. Find the results in the main Schedule category or within the System Details+Events tab.

3.4.8.3. System Set Manager > Configuration > Subscribe to Channels — [Prov]

Subscribe systems to configuration channels according to the order of preference. This tab is available only to SUSE Manager Administrators and Configuration Administrators. Enter a number in the Rank column to subscribe to a channel. Channels are accessed in the order of their rank, starting with the number 1. Channels not assigned a numeric value are not associated with the selected systems. Your local configuration channel always overrides all other channels. Once you have established the rank of the config channels, you must decide how they are applied to the selected systems.

The three buttons below the channels reflect your options. Clicking Subscribe with Highest Priority places all the ranked channels before any other channels to which the selected systems are currently subscribed. Clicking Subscribe With Lowest Priority places the ranked channels after those channels to which the selected systems are currently subscribed. Clicking Replace Existing Subscriptions removes any existing association and creates new ones with the ranked channels, leaving every system with the same config channels in the same order.

In the first two cases, if any of the newly ranked config channels are already in a system's existing config channel list, the duplicate channel is removed and replaced according to the new rank, effectively reordering the system's existing channels. When such conflicts exist, you are presented with a confirmation page to ensure the intended action is correct. When the change has taken place, a message appears at the top of the page indicating the update was successful.

3.4.8.4. System Set Manager > Configuration > Unsubscribe from Channels — [Mgmt]

Administrators may unsubscribe systems from configuration channels by clicking the check box next to the channel name and clicking the Unsubscribe Systems button.

3.4.8.5. System Set Manager > Configuration > Enable Configuration — [Mgmt]

Administrators may enable configuration channel management by clicking the check box next to the channel name and clicking the Enable Configuration Management button. You can also schedule the action by clicking the Schedule package installs for no sooner than radio button and using the drop-down menus to configure date and time, then clicking Enable Configuration Management.

3.4.9. System Set Manager > Provisioning — [Prov]

Set the options for provisioning systems via the following subtabs.

3.4.9.1. System Set Manager > Provisioning > Autoinstallation — [Prov]

Use this subtab to reinstall a client on the selected Provisioning-entitled systems. To schedule autoinstallations for these systems, select a distribution. The autoinstallation profile used for each system in the set is determined via the Autoinstallable Type radio buttons.

Choose Select autoinstallation profile if you want to apply the same profile to all systems in the set. This is the default option. You will see a list of available profiles to select from once you click on Continue.

Choose Autoinstall by IP Address if you want to apply different autoinstallation profiles to different systems in the set, by IP address. To do so, at least two autoinstallation profiles must be configured with associated IP ranges. For more information, see Section 3.9.4.6, “Assigning IP Ranges to Profiles”

If you use Autoinstall by IP Address, SUSE Manager will automatically pick a profile for each system so that the system's IP address will be in one of the IP ranges specified in the profile itself. If such a profile cannot be found, SUSE Manager will look for an organization default profile and apply that instead. For more information on assigning default profiles to organizations, refer to Section 3.9.4.5, “Assigning Default Profiles to an Organization” If no matching IP ranges nor organization default profiles can be found, no autoinstallation will be performed on the system. You will be notified on the next page if that happens.

To use Cobbler system records for autoinstallation, select Create PXE Installation Configuration. With PXE boot, you can not only reinstall clients, but automatically install machines that don't have an operating system installed yet. SUSE Manager and its network must be properly configured to enable PXE booting. For more information on Cobbler and Kickstart templates, refer to Chapter 7, Cobbler (↑Reference Guide).

[Note]

If a system set contains bare-metal systems and installed clients, only features working for systems without an operating system installed will be available. Full features will be enabled again once all bare-metal systems are removed from the set.

If any of the systems connect to SUSE Manager via a proxy server, choose either the Preserve Existing Configuration radio button or the Use Proxy radio button. If you choose to autoinstall through a proxy server, select from the available proxies listed in the drop-down box beside the Use Proxy radio button. All of the selected systems will autoinstall via the selected proxy. Click the Schedule Autoinstall button to confirm your selections. When the autoinstallations for the selected systems are successfully scheduled, you will return to the System Set Manager page.

3.4.9.2. System Set Manager > Provisioning > Tag Systems — [Prov]

Use this subtab to add meaningful descriptions to the most recent snapshots of your selected systems. To tag the most recent system snapshots, enter a descriptive term in the Tag name field and click the Tag Current Snapshots button.

3.4.9.3. System Set Manager > Provisioning > Rollback — [Prov]

Use this subtab to rollback selected Provisioning-entitled systems to previous snapshots marked with a tag. Click the tag name, verify the systems to be reverted, and click the Rollback Systems button.

3.4.9.4. System Set Manager > Provisioning > Remote Command — [Prov]

Use this subtab to issue remote commands on selected Provisioning-entitled systems. First create a run file on the client systems to allow this function to operate. Refer to Section 3.2.14.1.3, “System Details > Details > Remote Command — [Prov]” for instructions. Then identify a specific user, group, timeout period, and the script to run. Select a date and time to execute the command and click Schedule Remote Command.

3.4.10. System Set Manager > Audit — [Mgmt]

System sets can be scheduled for XCCDF scans. Enter the command and command-line arguments, as well as the path to the XCCDF document. Then schedule the scan. All target systems are listed below with a flag whether they support OpenSCAP scans. For more details on OpenSCAP and audits, refer to Chapter 6, Audit

3.4.11. System Set Manager > Misc — [Mgmt]

On the Misc page, you can modify Custom System Information. Click Set a custom value for selected systems, then the name of a key. Enter values for all selected systems, then click the Set Values button. To remove values for all selected systems, click Remove a custom value from selected systems, then the name of the key. Click the Remove Values button to delete.

Add or remove add-on entitlements by clicking on System Entitlements Page and set System Preferences via the respective radio buttons.

3.4.11.1. System Set Manager > Misc > Add or Remove Add-On Entitlements — [Mgmt]

Select the systems for which to modify entitlements and use the respective Base Entitlement buttons to set Update or Management entitlements, or use Unentitle to remove entitlements. From the drop-down menu select an Add-On Entitlement and click either Add Entitlement or Remove Entitlement.

3.4.11.2. System Set Manager > Misc > System Preferences — [Mgmt]

Toggle the Yes and No radio buttons and click the Change Preferences button to alter your notification preferences for the selected systems. You may apply these preferences to individual systems through the Properties subtab of the System Details page. Refer to Section 3.2.14.1.2, “System Details > Details > Properties” for instructions.

  • Receive Notifications of Updates/Patches — This setting keeps you aware of all advisories pertaining to your systems. Any time an update is released for a system you administer, a notification is sent via email.

  • Include system in Daily Summary — This setting includes the selected systems in a daily summary of system events. By default, all Management and Provisioning systems are included in the summary. These system events are actions that affect packages, such as scheduled patch updates, system reboots, or failures to check in. Select receive email notifications on the Your Preferences page. Refer to Section 2.4, “Your Preferences” for instructions. Note that SUSE Manager sends these summaries only to verified email addresses.

  • Automatic application of relevant Patches — This setting enables the automatic application of patch updates to the selected systems. Packages associated with patches are updated without any user intervention. The use of the auto-update feature for production systems is not recommend because conflicts between packages and environments can cause system failures.

3.4.11.3. System Set Manager > Misc > Hardware — [Mgmt]

Click on the Hardware subtab to schedule a hardware profile refresh. Click Confirm Refresh

3.4.11.4. System Set Manager > Misc > Software — [Mgmt]

Click the Software subtab, then the Confirm Refresh button to schedule a package profile update of the selected systems.

3.4.11.5. System Set Manager > Misc > Migrate

Click the Migrate subtab to move selected systems to a selected organization.

3.4.11.6. System Set Manager > Misc > Lock/Unlock — [Mgmt]

Select the Lock/Unlock subtab to select systems to be excluded from package updates. Enter a Lock reason in the text field and click the Lock button. Already locked systems can be unlocked on this page. Select them and click Unlock.

3.4.11.7. System Set Manager > Misc > Reboot — [Mgmt]

Select the appropriate systems, then click the Reboot Systems link to select these systems for reboot. To cancel this action, click the list of systems link that appears within the confirmation message at the top of the page, select the systems, and click Unschedule Action.

3.4.11.8. System Set Manager > Misc > Delete — [Mgmt]

Click the Delete subtab, to remove systems by deleting their system profiles. Click the Confirm Deletions button to remove the selected profiles permanently.

3.5. Advanced Search — [Mgmt]

Carry out a System Search on your systems according to the following criteria: custom system information, system details, hardware, devices, interface, networking, packages, and location.

Refine searches using the Fields to Search drop-down menu, which is set to Name/Description by default.

The following list details the Fields to Search drop-down menu.

  • Location — The physical location of a system, which includes the following:

    • Address — the address of the system or system set,

    • Building — the building or site in an address,

    • Room — the server or system room within a building,

    • Rack — the designated location within a server room where a system is situated.

  • Hardware Devices — Search systems by specific hardware details such as driver names and device or vendor IDs.

    • Description — Device summary information, such as brand or model name/number (for instance Intel 82801HBM/HEM)

    • Driver — The kernel driver or module name (such as tulip.o or iwl3945)

    • Device ID — The hexadecimal number corresponding to the device installed in the system.

    • Vendor ID — The hexadecimal number corresponding to the vendor of the device installed in the system.

  • Network Info — Search systems based on specific networking details such as IP address.

    • Hostname — The name of a system registered with SUSE Manager.

    • IP Address — The network address of a system registered with SUSE Manager.

  • Packages — Search by the packages installed (and not yet installed) on the system.

    • Installed Packages — Filter systems based on certain installed packages.

    • Needed Packages — Filter systems based on particular packages that have yet to be installed.

  • DMI Info — The Desktop Management Interface (DMI) is a standard for management of components on computer system. Search for SUSE Manager systems using the following DMI retrieval methods:

    • System — Product names or numbers, manufacturer names, serial numbers, and other information that may be unique to a system.

    • BIOS — BIOS support information such as BIOS vendor name and version, hardware support enabled in the BIOS, and more.

    • Asset Tag — A unique identifier assigned by an IT department (or vendor) to a system for better tracking, management and inventory.

  • Hardware — Systems can be searched by particular components in the system, including the following:

    • CPU Model — The CPU model name (such as Pentium or Athlon).

    • CPU MHz Less Than — Search systems with a processor less than the selected speed in Megahertz.

    • CPU MHz More Than — Search systems with a processor more than a user-designated speed in Megahertz.

    • Number of CPUs Less Than — Search systems with a sum of processors less than the user-designated quantity.

    • Number of CPUs Greater Than — Search systems with a sum of processors greater than the specified quantity.

    • RAM Less Than — Search systems with less memory than the user-designated quantity in megabytes.

    • RAM More Than — Search systems with more memory than the user-designated quantity in megabytes.

  • Activity — Search by the amount of time elapsed since the systems first or last checked in with SUSE Manager.

    • Days Since Last Check-in — Search by the amount of days passed since the systems last checked in with SUSE Manager.

    • Days Since First Check-in — Search by the amount of days passed since the systems first checked in with SUSE Manager.

  • Details — The unique identifiers assigned to a system by administrators and particularly SUSE Manager Administrators. These unique identifiers include:

    • Name/Description — The name assigned to a system by the SUSE Manager Administrator when adding it to the SUSE Manager server.

    • ID — An identifier that is unique to a system or system set.

    • Custom Info — Information which only applies to this one system.

    • Snapshot Tag — The name assigned to a new or previous system snapshot.

    • Running Kernel — The currently running kernel on a system registered with SUSE Manager.

The Activity selections (Days Since Last Check-in, for instance) are useful in finding and removing outdated system profiles.

Type the keyword, select the criterion to search by, use the radio buttons to specify whether you wish to query all systems or only those in the System Set Manager, and click the Search button. To list all systems that do not match the criteria, select the Invert Result check box.

The results appear at the bottom of the page. For details on how to use the resulting system list, refer to Section 3.2, “Systems”.

3.6. Activation Keys — [Mgmt]

SUSE Manager Management and Provisioning customers with the Activation Key Administrator role (including SUSE Manager Administrators) can generate activation keys in the SUSE Manager Web interface. With such an activation key, register a SUSE Linux Enterprise or Red Hat Enterprise Linux system, entitle the system to a SUSE Manager service level and subscribe the system to specific channels and system groups through the rhnreg_ks command line utility.

[Note]

System-specific activation keys created through the Reactivation subtab of the System Details page are not part of this list because they are not reusable across systems.

3.6.1. Managing Activation Keys

To create an activation key:

Procedure 3.4. Creating Activation Keys

  1. Select Systems from the top navigation bar then Activation Keys from the left navigation bar.

  2. Click the create new key link at the upper right corner.

  3. Description — Enter a Description to identify the generated activation key.

  4. Key — Either choose automatic generation by leaving this field blank or enter the key you want to generate in the Key field. This string of characters can then be used with rhnreg_ks to register client systems with SUSE Manager. Refer to Section 3.6.2, “Using Multiple Activation Keys at Once — [Prov]” for details.

    [Warning]Allowed Characters

    Do not insert commas or double quotes in the key. All other characters are allowed, but <> (){} (this includes the space) will get removed automatically. If the string is empty, a random one is generated.

    Commas are problematic because they are used as separator when two or more activation keys are used at once.

  5. Usage Limit — The maximum number systems that can be registered with the activation key concurrently. Leave blank for unlimited use. Deleting a system profile reduces the usage count by one and registering a system profile with the key increases the usage count by one.

  6. Base Channel — The primary channel for the key. This can be either the SUSE Manager Default channel or a custom base channel.

    Selecting SUSE Manager Default allows client systems to register with the SUSE-provided default channel that corresponds with their installed version of SUSE Linux Enterprise. You can also associate the key with a custom base channel. If a system using this key is not compatible with the selected channel, it will fall back to the SUSE Manager default channel.

  7. Add-on Entitlements — The supplemental entitlements for the key, including Monitoring, Provisioning, Virtualization, and Virtualization Platform. All systems will receive these entitlements with the key.

  8. Contact Method - Select how clients communicate with SUSE Manager. Pull waits for the client to check in. With Push via SSH and Push via SSH tunnel the server contacts the client via SSH (with or without tunnel) and pushes updates and actions, etc.

  9. Universal default — Select whether or not this key should be considered the primary activation key for your organization.

    [Warning]Changing the Default Activation Key

    Only one universal default activation key can be defined per organization. If a universal key already exists for this organization, you will unset the currently used universal key by activating the check box.

  10. Click Create Key.

To create more activation keys, repeat the steps above. Use a comma as a key separator.

Figure 3.1. Activation Keys

Activation Keys

After creating the unique key, it appears in the list of activation keys along with the number of times it has been used (see Figure 3.1, “Activation Keys”). Note that only Activation Key Administrators can see this list. At this point, you can configure the key further, for example, associate the key with child channels (e.g., the Tools child channel), packages (e.g., the rhncfg-actions package) and groups. Systems registered with the key get automatically subscribed to them.

To change the information about a key, click the key's description in the list to display its Details page (see Figure 3.2, “Activation Key Details With Subtabs”). Here you can change the settings at key creation and activate Configuration File Deployment. Via additional tabs you can select channels, packages, group membership and view activated systems. Modify the appropriate tab then click the Update Key button. To disassociate channels and groups from a key, deselect them in the respective menus by Ctrl-clicking their highlighted names. To remove a key entirely, click the delete key link in the upper right corner of the Details page.

Figure 3.2. Activation Key Details With Subtabs

Activation Key Details With Subtabs

Any (client tools) package installation requires that the Client Tools channel is available and the Provisioning checkbox is selected. The Client Tools channel should be selected in the Child Channels tab.

After you created the activation key, you can see in the Details tab a checkbox named Configuration File Deployment. If you select it, all needed packages are automatically added to the Packages list. By default, the following packages which are added: rhncfg, rhncfg-client, and rhncfg-actions.

If you select Virtualization or Virtualization Platform you automatically get the following package: rhn-virtualization-host.

Adding the osad packages makes sense if you want to execute scheduled actions immediately after the schedule time.

A system may be subscribed to a base channel during registration with an activation key. However, if the activation key specifies a base channel that is not compatible with the operating system running on the system, the registration fails. For example, a SUSE Linux Enterprise Server for x86 system cannot register with an Activation Key that specifies a SUSE Linux Enterprise Server for x86_64 base channel. A system can always subscribe to a custom base channel.

To disable system activations with a key, uncheck the corresponding box in the Enabled column in the key list. The key can be re-enabled by selecting the check box. Click the Update Keys button on the bottom right-hand corner of the page to activate your changes.

3.6.2. Using Multiple Activation Keys at Once — [Prov]

Provisioning customers should note that multiple activation keys can be specified at the command-line or in a single autoinstallation profile. This allows you to aggregate the aspects of various keys without recreating a specific key for every system that you want to register, simplifying the registration and autoinstallation processes while slowing the growth of your key list.

Without this stacking ability, your organization would need at least six activation keys to manage four server groups and subscribe a server to any two groups. Factor in two versions of the operating system and you need twice the number of activation keys. A larger organization would need keys in the dozens.

Registering with multiple activation keys requires some caution; conflicts between some values cause registration to fail. Conflicts in the following values do not cause registration to fail, a combination of values is applied: software packages, software child channels, and config channels. Conflicts in the remaining properties are resolved in the following manner:

  • Base software channels: registration fails.

  • Entitlements: registration fails.

  • Enable config flag: configuration management is set.

Do not use system-specific activation keys along with other activation keys; registration fails in this event.

You are now ready to use multiple activation keys at once. Separate keys with a comma at the command line with rhnreg_ks or in a Kickstart profile in the Activation Keys tab of the Autoinstallation Details page. Refer to Section 3.9.4.16, “Activation Keys — [Prov]” for instructions.

3.7. Stored Profiles — [Mgmt]

SUSE Manager Provisioning customers can create package profiles via the System Details page. Under Software+Packages+Profiles, click on Create System Profile. Enter a Profile Name and Profile Description, then click Create Profile. These profiles are displayed on the Stored Profiles page (left navigation bar), where they can be edited or deleted.

To edit a profile, click its name in the list, alter its name or description, and click the Update Profile button. To view software associated with the profile, click the Packages subtab. To remove the profile entirely, click delete profile at the upper-right corner of the page.

3.8. Custom System Info — [Prov]

SUSE Manager Provisioning customers may include completely customizable information about their systems. Unlike with notes, the information here is more formal and can be searched. For instance, you may decide to specify an asset tag for each system. To do so, select Custom System Info from the left navigation bar and create an asset key.

Click create new key in the upper-right corner of the page. Enter a suitable label and description, such as Asset and Precise location of each system, then click Create Key. The key will show up in the custom info keys list.

Once the key exists, you may assign a value to it through the Custom Info tab of the System Details page. Refer to Section 3.2.14.1.8, “System Details > Details > Custom Info — [Prov]” for instructions.

3.8.1. mgr-custom-info

In addition to creating and listing custom information keys via the SUSE Manager Web interface, there is a command-line tool called mgr-custom-info (rhn-custom-info package) that performs the same actions at a shell prompt.

The usage of mgr-custom-info is as follows:

mgr-custom-info options key1 value1

For example:

mgr-custom-info --username=admin --password=f00b4rb4z \
  --server-url=manager.example.com --list-values

The command lists the custom keys and their values for the manager.example.com SUSE Manager server.

For more information, refer to the help file by typing mgr-custom-info -h.

3.9. Autoinstallation — [Prov]

[Note]Autoinstallation Types: AutoYaST and Kickstart

In the following section, AutoYaST and AutoYaST features apply for SUSE Linux Enterprise client systems only. For RHEL systems, use Kickstart and Kickstart features.

AutoYaST and Kickstart configuration files allow administrators to create an environment for automating otherwise time-consuming system installations, such as multiple servers or workstations. AutoYaST files have to be uploaded to be managed with SUSE Manager. Kickstart files can be created, modified, and managed within the SUSE Manager Web interface.

SUSE Manager also features the Cobbler installation server. For more information on Cobbler, refer to Chapter 7, Cobbler (↑Reference Guide).

To satisfy the provisioning needs of customers, SUSE Manager provides an interface for developing Kickstart and AutoYaST profiles that can be used to install Red Hat Enterprise Linux or SUSE Linux Enterprise on either new or already-registered systems automatically according to certain specifications.

Figure 3.3. Autoinstallation Overview

Autoinstallation Overview

This overview page displays the status of automated installations (Kickstart and AutoYaST) on your client systems: the types and number of profiles you have created and the progress of systems that are scheduled to be installed using Kickstart or AutoYaST. In the upper right is the Autoinstallation Actions section, which contains a series of links to management actions for your Kickstart or AutoYaST profiles. Before explaining the various automated installation options on this page, the next two sections provide an introduction to AutoYaST (Section 3.9.1, “Introduction to AutoYaST”) and Kickstart (Section 3.9.2, “Introduction to Kickstart”).

3.9.1. Introduction to AutoYaST

Using AutoYaST, a system administrator can create a single file containing the answers to all the questions that would normally be asked during a typical installation of SUSE Linux Enterprise Server.

AutoYaST files can be kept on a single server system and read by individual computers during the installation. This way the same AutoYaST file is used to install SUSE Linux Enterprise on multiple machines.

The SUSE Linux Enterprise Server Deployment Guide (http://www.suse.com/documentation/sles-12/book_sle_deployment/data/cha_deployment_autoinst.html) contains an in-depth discussion of Automated Installation using AutoYaST.

3.9.1.1. AutoYaST Explained

When a machine is to receive a network-based AutoYaST installation, the following events must occur in this order:

  1. After being connected to the network and turned on, the machine's PXE logic broadcasts its MAC address and requests to be discovered.

  2. If no static IP address is used, the DHCP server recognizes the discovery request and offers network information needed for the new machine to boot. This includes an IP address, the default gateway to be used, the netmask of the network, the IP address of the TFTP or HTTP server holding the bootloader program, and the full path and file name to that program (relative to the server's root).

  3. The machine applies the networking information and initiates a session with the server to request the bootloader program.

  4. The bootloader searches for its configuration file on the server from which it was loaded. This file dictates which Kernel and Kernel options, such as the initial RAM disk (initrd) image, should be executed on the booting machine. Assuming the bootloader program is SYSLINUX, this file is located in the pxelinux.cfg directory on the server and named the hexadecimal equivalent of the new machine's IP address. For example, a bootloader configuration file for SUSE Linux Enterprise Server should contain:

    port 0
    prompt 0
    timeout 1
    default autoyast
    label autoyast
      kernel vmlinuz
      append autoyast=http://my_susemanager_server/path \
        install=http://my_susemanager_server/repo_tree
  5. The machine accepts and uncompresses the initrd and kernel, boots the kernel, fetches the instsys from the install server and initiates the AutoYaST installation with the options supplied in the bootloader configuration file, including the server containing the AutoYaST configuration file.

  6. The new machine is installed based on the parameters established within the AutoYaST configuration file.

3.9.1.2. AutoYaST Prerequisites

Some preparation is required for your infrastructure to handle AutoYaST installations. For instance, before creating AutoYaST profiles, you may consider:

  • A DHCP server is not required for AutoYaST, but it can make things easier. If you are using static IP addresses, you should select static IP while developing your AutoYaST profile.

  • Host the AutoYaST distribution trees via HTTP, properly provided by SUSE Manager.

  • If conducting a so-called bare-metal AutoYaST installation, you should do the following:

    • Configure DHCP to assign the required networking parameters and the bootloader program location.

    • In the bootloader configuration file, specify the kernel and appropriate kernel options to be used.

3.9.1.3. Building Bootable AutoYaST ISOs

While you can schedule a registered system to be installed by AutoYaST with a new operating system and package profile, you can also automatically install a system that is not registered with SUSE Manager, or does not yet have an operating system installed. One common method of doing this is to create a bootable CD-ROM that is inserted into the target system. When the system is rebooted or switched on, it boots from the CD-ROM, loads the AutoYaST configuration from your SUSE Manager, and proceeds to install SUSE Linux Enterprise Server according to the AutoYaST profile you have created.

Build an ISO with cobbler and burn it on a CD-ROM. For more information, see Section “Building ISOs with Cobbler” (Chapter 7, Cobbler, ↑Reference Guide).

To use the CD-ROM, boot the system and type autoyast at the prompt (assuming you left the label for the AutoYaST boot as autoyast). When you press Enter, the AutoYaST installation begins.

For more information about image creation, refer to the SUSE Linux Enterprise Server Deployment Guide, Part Imaging and Creating Products.

3.9.1.4. Integrating AutoYaST with PXE

In addition to CD-ROM-based installations, AutoYaST installation through a Pre-Boot Execution Environment (PXE) is supported. This is less error-prone than CDs, enables AutoYaST installation from bare metal, and integrates with existing PXE/DHCP environments.

To use this method, make sure your systems have network interface cards (NIC) that support PXE, install and configure a PXE server, ensure DHCP is running, and place the installation repository on an HTTP server for deployment. Finally upload the AutoYaST profile via the Web interface to the SUSE Manager server. Once the AutoYaST profile has been created, use the URL from the Autoinstallation Overview page, as for CD-ROM-based installations.

To obtain specific instructions for conducting PXE AutoYaST installation, refer to the Using PXE Boot section of the SUSE Linux Enterprise Deployment Guide.

Starting with Section 3.9.3, “Autoinstallation Profiles (Kickstart and AutoYaST)”, AutoYaST options available from Systems+Kickstart are described.

3.9.2. Introduction to Kickstart

Using Kickstart, a system administrator can create a single file containing the answers to all the questions that would normally be asked during a typical installation of Red Hat Enterprise Linux.

Kickstart files can be kept on a single server and read by individual computers during the installation. This method allows you to use one Kickstart file to install Red Hat Enterprise Linux on multiple machines.

The Red Hat Enterprise Linux System Administration Guide contains an in-depth description of Kickstart (http://www.redhat.com/docs/manuals/enterprise/).

3.9.2.1. Kickstart Explained

When a machine is to receive a network-based Kickstart, the following events must occur in this order:

  1. After being connected to the network and turned on, the machine's PXE logic broadcasts its MAC address and requests to be discovered.

  2. If no static IP address is used, the DHCP server recognizes the discovery request and offers network information needed for the new machine to boot. This information includes an IP address, the default gateway to be used, the netmask of the network, the IP address of the TFTP or HTTP server holding the bootloader program, and the full path and file name of that program (relative to the server's root).

  3. The machine applies the networking information and initiates a session with the server to request the bootloader program.

  4. The bootloader searches for its configuration file on the server from which it was loaded. This file dictates which kernel and kernel options, such as the initial RAM disk (initrd) image, should be executed on the booting machine. Assuming the bootloader program is SYSLINUX, this file is located in the pxelinux.cfg directory on the server and named the hexadecimal equivalent of the new machine's IP address. For example, a bootloader configuration file for Red Hat Enterprise Linux AS 2.1 should contain:

    port 0 
    prompt 0 
    timeout 1 
    default My_Label 
    label My_Label 
          kernel vmlinuz 
          append ks=http://my_susemanager_server/path \
              initrd=initrd.img network apic
  5. The machine accepts and uncompresses the init image and kernel, boots the kernel, and initiates a Kickstart installation with the options supplied in the bootloader configuration file, including the server containing the Kickstart configuration file.

  6. This Kickstart configuration file in turn directs the machine to the location of the installation files.

  7. The new machine is built based on the parameters established within the Kickstart configuration file.

3.9.2.2. Kickstart Prerequisites

Some preparation is required for your infrastructure to handle Kickstarts. For instance, before creating Kickstart profiles, you may consider:

  • A DHCP server is not required for kickstarting, but it can make things easier. If you are using static IP addresses, select static IP while developing your Kickstart profile.

  • An FTP server can be used instead of hosting the Kickstart distribution trees via HTTP.

  • If conducting a bare metal Kickstart, you should configure DHCP to assign required networking parameters and the bootloader program location. Also, specify within the bootloader configuration file the kernel to be used and appropriate kernel options.

3.9.2.3. Building Bootable Kickstart ISOs

While you can schedule a registered system to be kickstarted to a new operating system and package profile, you can also Kickstart a system that is not registered with SUSE Manager or does not yet have an operating system installed. One common method of doing this is to create a bootable CD-ROM that is inserted into the target system. When the system is rebooted, it boots from the CD-ROM, loads the Kickstart configuration from your SUSE Manager, and proceeds to install Red Hat Enterprise Linux according to the Kickstart profile you have created.

To do this, copy the contents of /isolinux from the first CD-ROM of the target distribution. Then edit the isolinux.cfg file to default to 'ks'. Change the 'ks' section to the following template:

label ks 
kernel vmlinuz 
  append text ks=url initrd=initrd.img lang= devfs=nomount \
    ramdisk_size=16438 ksdevice

IP address-based Kickstart URLs will look like this:

http://my.manager.server/kickstart/ks/mode/ip_range 

The Kickstart distribution defined via the IP range should match the distribution from which you are building, or errors will occur. ksdevice is optional, but looks like:

ksdevice=eth0 

It is possible to change the distribution for a Kickstart profile within a family, such as Red Hat Enterprise Linux AS 4 to Red Hat Enterprise Linux ES 4, by specifying the new distribution label. Note that you cannot move between versions (4 to 5) or between updates (U1 to U2).

Next, customize isolinux.cfg further for your needs by adding multiple Kickstart options, different boot messages, shorter timeout periods, etc.

Next, create the ISO as described in the Making an Installation Boot CD-ROM section of the Red Hat Enterprise Linux Installation Guide. Alternatively, issue the command:

mkisofs -o file.iso -b isolinux.bin -c boot.cat -no-emul-boot \
  -boot-load-size 4 -boot-info-table -R -J -v -T isolinux/

Note that isolinux/ is the relative path to the directory containing the modified isolinux files copied from the distribution CD, while file.iso is the output ISO file, which is placed into the current directory.

Burn the ISO to CD-ROM and insert the disc. Boot the system and type "ks" at the prompt (assuming you left the label for the Kickstart boot as 'ks'). When you press Enter, Kickstart starts running.

3.9.2.4. Integrating Kickstart with PXE

In addition to CD-ROM-based installs, Kickstart supports a Pre-Boot Execution Environment (PXE). This is less error-prone than CDs, enables kickstarting from bare metal, and integrates with existing PXE/DHCP environments.

To use this method, make sure your systems have network interface cards (NIC) that support PXE. Install and configure a PXE server and ensure DHCP is running. Then place the appropriate files on an HTTP server for deployment. Once the Kickstart profile has been created, use the URL from the Kickstart Details page, as for CD-ROM-based installs.

To obtain specific instructions for conducting PXE Kickstarts, refer to the PXE Network Installations chapter of the Red Hat Enterprise Linux 4 System Administration Guide.

[Note]Tip

Running the Network Booting Tool, as described in the Red Hat Enterprise Linux 4: System Administration Guide, select "HTTP" as the protocol and include the domain name of the SUSE Manager in the Server field if you intend to use it to distribute the installation files.

The following sections describe the autoinstallation options available from the Systems+Autoinstallation page.

3.9.3. Autoinstallation Profiles (Kickstart and AutoYaST)

Figure 3.4. Autoinstallation Profiles

Autoinstallation Profiles

This page lists all profiles for your organization, shows whether these profiles are active, and specifies the distribution tree with which each profile is associated. You can either create a new Kickstart profile by clicking the create new kickstart profile link, upload or paste the contents of a new profile using the upload new kickstart/autoyast file, or edit an existing Kickstart profile by clicking the name of the profile. Note, you can only update AutoYaST profiles using the upload button. You can also view AutoYaST profiles in the edit box or change the virtualization type using the selection list.

3.9.4. Create a New Kickstart Profile

Click on the create new kickstart profile link from the Systems+Autoinstallation page to start the wizard that populates the base values needed for a Kickstart profile.

Procedure 3.5. Creating a New Kickstart Profile

  1. On the first line, enter a Kickstart profile label. This label cannot contain spaces, so use dashes (-) or underscores (_) as separators.

  2. Select a Base Channel for this profile, which consists of packages based on a specific architecture and Red Hat Enterprise Linux release.

  3. Select an Autoinstallable Tree for this profile. The Autoinstallable Tree drop-down menu is only populated if one or more distributions have been created for the selected base channel (see Section 3.9.8, “Autoinstallation > Distributions — [Prov]”).

  4. Instead of selecting a specific tree, you can also check the box Always use the newest Tree for this base channel. This setting lets SUSE Manager automatically pick the latest tree that is associated with the specified base channels. If you add new trees later, SUSE Manager will always keep the most recently created or modified.

  5. Select the Virtualization Type from the drop-down menu.

  6. On the second page, select (or enter) the location of the Kickstart tree.

  7. On the third page, select a root password for the system.

Depending on your base channel, your newly created Kickstart profile might be subscribed to a channel that is missing required packages. For Kickstart to work properly, the following packages should be present in its base channel: pyOpenSSL, rhnlib, libxml2-python, and spacewalk-koan and associated packages.

To resolve this issue:

  • Make sure that the Tools software channel for the Kickstart profile's base channel is available to your organization. If it is not, you must request entitlements for the Tools software channel from the SUSE Manager administrator.

  • Make sure that the Tools software channel for this Kickstart profile's base channel is available to your SUSE Manager as a child channel.

  • Make sure that rhn-kickstart and associated packages corresponding to this Kickstart are available in the Tools child channel.

The final stage of the wizard presents the Autoinstallation Details+Details tab. On this tab and the other subtabs, nearly every option for the new Kickstart profile can be customized.

Once created, you can access the Kickstart profile by downloading it from the Autoinstallation Details page by clicking the Autoinstallation File subtab and clicking the Download Autoinstallation File link.

If the Kickstart file is not managed by SUSE Manager, you can access it via the following URL:

http://my.manager.server/ks/dist/ks-rhel-ARCH-VARIANT-VERSION

In the above example, ARCH is the architecture of the Kickstart file, VARIANT is either client or server, and VERSION is the release of Red Hat Enterprise Linux associated with the Kickstart file.

The following sections describe the options available on each subtab.

3.9.4.1. Autoinstallation Details > Details — [Prov]

Figure 3.5. Autoinstallation Details

Autoinstallation Details

Figure 3.5, “Autoinstallation Details” shows the subtabs that are available. On the Autoinstallation Details+Details page, you have the following options:

  • Change the profile Label.

  • Change the operating system by clicking on (Change).

  • Change the Virtualization Type.

    [Note]

    Changing the Virtualization Type may require changes to the Kickstart profile bootloader and partition options, potentially overwriting user customizations. Consult the Partitioning tab to verify any new or changed settings.

  • Change the amount of Virtual Memory (in Megabytes of RAM) allocated to virtual guests autoinstalled with this profile.

  • Change the number of Virtual CPUs for each virtual guest.

  • Change the Virtual Storage Path from the default in /var/lib/xen/.

  • Change the amount of Virtual Disk Space (in GB) allotted to each virtual guest.

  • Change the Virtual Bridge for networking of the virtual guest.

  • Deactivate the profile so that it cannot be used to schedule a Kickstart by removing the Active check mark.

  • Check whether to enable logging for custom %post scripts to the /root/ks-post.log file.

  • Decide whether to enable logging for custom %pre scripts to the /root/ks-pre.log file.

  • Choose whether to preserve the ks.cfg file and all %include fragments to the /root/ directory of all systems autoinstalled with this profile.

  • Select whether this profile is the default for all of your organization's Kickstarts by checking or unchecking the box.

  • Add any Kernel Options in the corresponding text box.

  • Add any Post Kernel Options in the corresponding text box.

  • Enter comments that are useful to you in distinguishing this profile from others.

3.9.4.2. Autoinstallation Details > Operating System — [Prov]

On this page, you can make the following changes to the operating system that the Kickstart profile installs:

Change the base channel

Select from the available base channels. SUSE Manager administrators see a list of all base channels that are currently synced to the SUSE Manager.

Child Channels

Subscribe to available child channels of the base channel, such as the Tools channel.

Available Trees

Use the drop-down menu to choose from available trees associated with the base channel.

Always use the newest Tree for this base channel.

Instead of selecting a specific tree, you can also check the box Always use the newest Tree for this base channel. This setting lets SUSE Manager automatically pick the latest tree that is associated with the specified base channels. If you add new trees later, SUSE Manager will always keep the most recently created or modified.

Software URL (File Location)

The exact location from which the Kickstart tree is mounted. This value is determined when the profile is created. You can view it on this page but you cannot change it.

3.9.4.3. Autoinstallation Details > Variables

Autoinstallation variables can substitute values in Kickstart and AutoYaST profiles. To define a variable, create a name-value pair (name/value) in the text box.

For example, if you want to autoinstall a system that joins the network of a specified organization (for example the Engineering department), you can create a profile variable to set the IP address and the gateway server address to a variable that any system using that profile will use. Add the following line to the Variables text box.

IPADDR=192.168.0.28
GATEWAY=192.168.0.1

Now you can use the name of the variable in the profile instead of a specific value. For example, the network part of a Kickstart file looks like the following:

network --bootproto=static --device=eth0 --onboot=on --ip=$IPADDR \
  --gateway=$GATEWAY

The $IPADDR will be resolved to 192.168.0.28, and the $GATEWAY to 192.168.0.1

[Note]

There is a hierarchy when creating and using variables in Kickstart files. System Kickstart variables take precedence over Profile variables, which in turn take precedence over Distribution variables. Understanding this hierarchy can alleviate confusion when using variables in Kickstarts.

Using variables are just one part of the larger Cobbler infrastructure for creating templates that can be shared between multiple profiles and systems. For more information about Cobbler and templates, refer to Chapter 7, Cobbler (↑Reference Guide).

3.9.4.4. Autoinstallation Details > Advanced Options — [Prov]

From this page, you can toggle several installation options on and off by checking and unchecking the boxes to the left of the option. For most installations, the default options are correct. Refer to Red Hat Enterprise Linux documentation for details.

3.9.4.5. Assigning Default Profiles to an Organization

You can specify an Organization Default Profile by clicking on Autoinstallation+Profiles+profile name+Details, then checking the Organization Default Profile box and finally clicking on Update.

3.9.4.6. Assigning IP Ranges to Profiles

You can associate an IP range to an autoinstallation profile by clicking on Autoinstallation+Profiles+profile name+Bare Metal Autoinstallation, adding an IPv4 range and finally clicking on Add IP Range.

3.9.4.7. Autoinstallation Details > Bare Metal Autoinstallation — [Prov]

This subtab provides the information necessary to Kickstart systems that are not currently registered with SUSE Manager. Using the on-screen instructions, you may either autoinstall systems using boot media (CD-ROM) or by IP address.

3.9.4.8. System Details > Details — [Prov]

Figure 3.6. System Details

System Details

Figure 3.6, “System Details” shows the subtabs that are available from the System Details tab.

On the System Details+Details page, you have the following options:

  • Select between DHCP and static IP, depending on your network.

  • Choose the level of SELinux that is configured on kickstarted systems.

  • Enable configuration management or remote command execution on kickstarted systems.

  • Change the root password associated with this profile.

3.9.4.9. System Details > Locale — [Prov]

Change the timezone for kickstarted systems.

3.9.4.10. System Details > Partitioning — [Prov]

From this subtab, indicate the partitions that you wish to create during installation. For example:

partition /boot --fstype=ext3 --size=200 
partition swap --size=2000 
partition pv.01 --size=1000 --grow 
volgroup myvg pv.01 logvol / --vgname=myvg --name=rootvol --size=1000 --grow

3.9.4.11. System Details > File Preservation — [Prov]

If you have previously created a file preservation list, include this list as part of the Kickstart. This will protect the listed files from being over-written during the installation process. Refer to Section 3.9.9, “Autoinstallation > File Preservation — [Prov]” for information on how to create a file preservation list.

3.9.4.12. System Details > GPG & SSL — [Prov]

From this subtab, select the GPG keys and/or SSL certificates to be exported to the kickstarted system during the %post section of the Kickstart. For SUSE Manager customers, this list includes the SSL Certificate used during the installation of SUSE Manager.

[Note]

Any GPG key you wish to export to the kickstarted system must be in ASCII rather than binary format.

3.9.4.13. System Details > Troubleshooting — [Prov]

From this subtab, change information that may help with troubleshooting hardware problems:

Bootloader

For some headless systems, it is better to select the non-graphic LILO bootloader.

Kernel Parameters

Enter kernel parameters here that may help to narrow down the source of hardware issues.

3.9.4.14. Software > Package Groups — [Prov]

Figure 3.7. Software

Software

Figure 3.7, “Software” shows the subtabs that are available from the Software tab.

Enter the package groups, such as @office or @admin-tools you would like to install on the kickstarted system in the large text box. If you would like to know what package groups are available, and what packages they contain, refer to the RedHat/base/ file of your Kickstart tree.

3.9.4.15. Software > Package Profiles — [Prov]

If you have previously created a Package Profile from one of your registered systems, you can use that profile as a template for the files to be installed on a kickstarted system. Refer to Section 3.2.14.2.2, “System Details > Software > Packages ” for more information about package profiles.

3.9.4.16. Activation Keys — [Prov]

Figure 3.8. Activation Keys

Activation Keys

The Activation Keys tab allows you to select Activation Keys to include as part of the Kickstart profile. These keys, which must be created before the Kickstart profile, will be used when re-registering kickstarted systems.

3.9.4.17. Scripts — [Prov]

Figure 3.9. Scripts

Scripts

The Scripts tab is where %pre and %post scripts are created. This page lists any scripts that have already been created for this Kickstart profile. To create a new Kickstart script, perform the following procedure:

  1. Click the add new kickstart script link in the upper right.

  2. Enter the path to the scripting language used to create the script, such as /usr/bin/perl.

  3. Enter the full script in the large text box.

  4. Indicate whether this script is to be executed in the %pre or %post section of the Kickstart process.

  5. Indicate whether this script is to run outside of the chroot environment. Refer to the Post-installation Script section of the Red Hat Enterprise Linux System Administration Guide for further explanation of the nochroot option.

[Note]

SUSE Manager supports the inclusion of separate files within the Partition Details section of the Kickstart profile. For instance, you may dynamically generate a partition file based on the machine type and number of disks at Kickstart time. This file can be created via %pre script and placed on the system, such as /tmp/part-include. Then you can call for that file by entering the following line in the Partition Details field of the System Details+Partitioning tab:

%include /tmp/part-include 

3.9.4.18. Autoinstallation File — [Prov]

Figure 3.10. Autoinstallation File

Autoinstallation File

The Autoinstallation File tab allows you to view or download the profile that has been generated from the options chosen in the previous tabs.

3.9.5. Upload a New Kickstart/AutoYaST File

Click on the upload new kickstart/autoyast file link from the Systems+Autoinstallation page to upload an externally prepared AutoYaST or Kickstart profile.

  1. In the first line, enter a profile Label for the automated installation. This label cannot contain spaces, so use dashes (-) or underscores (_) as separators.

  2. Select an Autoinstallable Tree for this profile. The Autoinstallable Tree drop-down menu is only populated if one or more distributions have been created for the selected base channel (see Section 3.9.8, “Autoinstallation > Distributions — [Prov]”).

  3. Instead of selecting a specific tree, you can also check the box Always use the newest Tree for this base channel. This setting lets SUSE Manager automatically pick the latest tree that is associated with the specified base channels. If you add new trees later, SUSE Manager will always keep the most recently created or modified.

  4. Select the Virtualization Type from the drop-down menu.

    [Note]

    If you do not intend to use the autoinstall profile to create virtual guest systems, you can leave the drop-down set to the default choice KVM Virtualized Guest.

  5. Finally, either provide the file contents with cut-and-paste or update the file from the local storage medium:

    • Paste it into the File Contents box and click Create, or

    • enter the file name in the File to Upload field and click Upload File.

Once done, four subtabs are available: Details (see Section 3.9.4.8, “System Details > Details — [Prov]”), Bare Metal Kickstart (see Section 3.9.4.7, “Autoinstallation Details > Bare Metal Autoinstallation — [Prov]”),Variables (see Section 3.9.4.3, “Autoinstallation Details > Variables”), and Autoinstallable File (see Section 3.9.4.18, “Autoinstallation File — [Prov]”) are available.

3.9.6. Autoinstallation > Bare Metal — [Prov]

Lists the IP addresses that have been associated with the profiles created by your organization. Click either the range or the profile name to access different tabs of the Autoinstallation Details page.

3.9.7. Autoinstallation > GPG and SSL Keys — [Prov]

Lists keys and certificates available for inclusion in Kickstart profiles and provides a means to create new ones. This is especially important for customers of SUSE Manager or the Proxy Server because systems kickstarted by them must have the server key imported into SUSE Manager and associated with the relevant Kickstart profiles. Import it by creating a new key here and then make the profile association in the GPG and SSL keys subtab of the Autoinstallation Details page.

To create a new key/certificate, click the create new stored key/cert link in the upper-right corner of the page. Enter a description, select the type, upload the file, and click the Update Key button. Note that a unique description is required.

[Important]

The GPG key you upload to SUSE Manager must be in ASCII format. Using a GPG key in binary format causes anaconda, and therefore the Kickstart process, to fail.

3.9.8. Autoinstallation > Distributions — [Prov]

The Distributions page enables you to find and create custom installation trees that may be used for automated installations.

[Note]

The Distributions page does not display distributions already provided. They can be found within the Distribution drop-down menu of the Autoinstallation Details page.

Before creating a distribution, you must make an installation data available, as described in the Automated Installation chapter of the SUSE Linux Enterprise Deployment Guide (section Simple Mass Installation, Providing the Installation Data) or, respectively, the Kickstart Installations chapter of the Red Hat Enterprise Linux System Administration Guide. This tree must be located in a local directory on the SUSE Manager server.

Procedure 3.6. Creating a Distribution for Autoinstallation

  1. To create a new distribution, on the Autoinstallable Distributions page click create new distribution in the upper right corner.

  2. On the Create Autoinstallable Distribution page, provide the following data:

    1. Enter a label (without spaces) in the Distribution Label field, such as my-orgs-sles-11-sp1 or my-orgs-rhel-as-5.

    2. In the Tree Path field, paste the path to the base of the installation tree. For Red Hat Enterprise Linux systems, you can test this by appending "images/pxeboot/README" to the URL in a Web browser, pressing Enter, and ensuring that the readme file appears.

    3. Select the matching distribution from the Base Channel and Installer Generation drop-down menus, such as SUSE Linux for SUSE Linux Enterprise, or Red Hat Enterprise Linux 5 for Red Hat Enterprise Linux 5 client systems.

  3. When finished, click the Create Autoinstallable Distribution button.

3.9.8.1. Autoinstallation > Distributions > Variables

Autoinstallation variables can be used to substitute values into Kickstart and AutoYaST profiles. To define a variable, create a name-value pair (name/value) in the text box.

For example, if you want to autoinstall a system that joins the network of a specified organization (for example the Engineering department) you can create a profile variable to set the IP address and the gateway server address to a variable that any system using that profile will use. Add the following line to the Variables text box.

IPADDR=192.168.0.28
GATEWAY=192.168.0.1

To use the distribution variable, use the name of the variable in the profile to substitute the value. For example, the network part of a Kickstart file looks like the following:

network --bootproto=static --device=eth0 --onboot=on --ip=$IPADDR \
  --gateway=$GATEWAY

The $IPADDR will be resolved to 192.168.0.28, and the $GATEWAY to 192.168.0.1.

[Note]

There is a hierarchy when creating and using variables in Kickstart files. System Kickstart variables take precedence over Profile variables, which in turn take precedence over Distribution variables. Understanding this hierarchy can alleviate confusion when using variables in Kickstarts.

In AutoYaST profiles you can use such variables as well.

Using variables are just one part of the larger Cobbler infrastructure for creating templates that can be shared between multiple profiles and systems. For more information about Cobbler and templates, refer to Chapter 7, Cobbler (↑Reference Guide).

3.9.9. Autoinstallation > File Preservation — [Prov]

Collects lists of files to be protected and re-deployed on systems during Kickstart. For instance, if you have many custom configuration files located on a system to be kickstarted, enter them here as a list and associate that list with the Kickstart profile to be used.

To use this feature, click the create new file preservation list link at the top. Enter a suitable label and all files and directories to be preserved. Enter absolute paths to all files and directories. Then click Create List.

[Important]

Although file preservation is useful, it does have limitations. Each list is limited to a total size of 1 MB. Special devices like /dev/hda1 and /dev/sda1 are not supported. Only file and directory names may be entered. No regular expression wildcards can be used.

When finished, you may include the file preservation list in the Kickstart profile to be used on systems containing those files. Refer to Section 3.9.4, “Create a New Kickstart Profile” for precise steps.

3.9.10. Autoinstallation > Autoinstallation Snippets — [Prov]

Use snippets to store common blocks of code that can be shared across multiple Kickstart or AutoYaST profiles in SUSE Manager.

3.9.10.1. Autoinstallation > Autoinstallation Snippets > Default Snippets

Default snippets coming with SUSE Manager are not editable. You can use a snippet, if you add the Snippet Macro statement such as $SNIPPET('spacewalk/sles_register_script') to your autoinstallation profile. This is an AutoYaST profile example:

<init-scripts config:type="list">
  $SNIPPET('spacewalk/sles_register_script')
</init-scripts>

When you create a snippet with the create new snippet link, all profiles including that snippet will be updated accordingly.

3.9.10.2. Autoinstallation > Autoinstallation Snippets > Custom Snippets

This is the tab with custom snippets. Click a name of a snippet to view, edit, or delete it.

3.9.10.3. Autoinstallation > Autoinstallation Snippets > All Snippets

The All Snippets tab lists default and custom snippets together.

Chapter 4. Patches

Select the Patches tab from the top navigation bar to track the availability and application of patches to your managed systems.

The Patches Overview page displays relevant patches for at least one of your managed systems that have not been applied yet.

[Note]Receiving Patches for Your System

To receive an email when patches are issued for your system, go to Overview+Your Preferences and select Receive email notifications.

SUSE distinguishes three types of patches: security updates, bug fix updates, and enhancement updates. Each patch is comprised of a summary of the problem and solution, including the RPM packages fixing the problem.

Icons are used to identify the three types:

  • — Security Updates available, strongly recommended

  • — Bug Fix Updates available, recommended

  • — Enhancement Updates available, optional

A summary of each patch is provided in list form displaying the type, severity (for security updates), and subject of the patch, as well as the number of affected systems in your network.

In addition, you may view patches by product line at the following location: http://download.novell.com/patch/psdb/. An RSS feed with security updates is available at https://www.suse.com/support/security/.

4.1. Relevant Patches

The Relevant Patches page displays a customized list of patches applying to your registered systems. The list provides a summary of each patch, including its type, severity (for security updates), advisory number, synopsis, systems affected, and date updated.

Clicking on a patch Advisory takes you to the Details page of the Patch Details page. Clicking on the number of associated systems takes you to the Affected Systems page of the Patch Details page. Refer to Section 4.2.2, “Patch Details” for more information.

4.2. All Patches

Figure 4.1. List of All Patches

List of All Patches

The All Patches page displays a list of all patches released by SUSE. Like in the Relevant Patches page, clicking either Advisory or the number of systems affected takes you to related tabs of the Patch Details page. Refer to Section 4.2.2, “Patch Details” for more information.

4.2.1. Apply Patches

Patches include a list of updated packages. To apply patches to a system, the system must be entitled.

Apply all applicable patches to a system by clicking on Systems+Systems in the top and left navigation bars. Click on the name of an entitled system. Then in the System Details page click the Patches tab. When the relevant patch list appears, click Select All then Apply Patches on the bottom right-hand corner of the page. Only patches not scheduled, scheduled but failed, or canceled patches are listed. Pending updates are excluded.

In addition, Management users can apply patches using two other methods:

  • To apply a specific patch to one or more systems, locate it in the patch list and click on the number of systems affected, which takes you to the Affected Systems page of the Patch Details page. Select the individual systems to be updated and click the Apply Patches button. Double-check the systems to be updated on the confirmation page, then click the Confirm button.

  • To apply more than one patch to one or more systems, select the systems from the Systems list and click the Update List button. Click the System Set Manager link in the left navigation bar, then click the Systems tab. After ensuring the appropriate systems are selected, click the Patch tab, select the patches to apply, and click the Apply Patch button. Schedule a date and time for the patch to be applied. Default is the current date. Click the Schedule Updates button. You can follow the progress of the patch application via the Pending Actions list. Refer to Chapter 9, Schedule for more details.

[Important]

If you use scheduled package installation, the packages or patches are installed via the SUSE Manager daemon. You must enable the SUSE Manager daemon on your systems. Refer to Chapter 3, SUSE Manager Daemon (↑Reference Guide) for more details.

The following rules apply to patches:

  • Each package is a member of one or more channels. If a selected system is not subscribed to a channel containing the package, the update will not be installed on that system.

  • If a newer version of the package is already installed on the system, the update will not be installed.

  • If an older version of the package is installed, the package will be upgraded.

4.2.2. Patch Details

If you click on the advisory of a patch in the Relevant or All pages, its Patch Details page appears. This page is further divided into the following tabs:

4.2.2.1. Patch Details > Details

This subtab displays the patch report issued by SUSE. It provides a synopsis of the patch first, including the severity (for security updates), issue date, and any update dates. This is followed by a description of the patch and the steps required to resolve the issue.

Below the Affected Channels label, all channels that contain the affected package are listed. Clicking on a channel name displays the Packages subtab of the Channel Details page for that channel. Refer to Section 5.1.9, “Software Channel Details” for more information.

Security updates list the specific vulnerability as tracked by http://cve.mitre.org. This information is listed below the CVEs label.

OVAL is an open vulnerability and assessment language promoted by Mitre, http://oval.mitre.org. Clicking on the link below the Oval label downloads this information to your system. More useful are the collected Novell/SUSE Linux security updates on http://support.novell.com/security/cve/.

4.2.2.2. Patch Details > Packages

This page provides links to each of the updated RPMs by channel. Clicking on the name of a package displays its Package Details page.

4.2.2.3. Patch Details > Affected Systems

This page lists systems affected by the patches. You can apply updates here. (See Section 4.2.1, “Apply Patches”.) Clicking on the name of a system takes you to its System Details page. Refer to Section 3.2.14, “System Details” for more information.

To determine whether an update has been scheduled, refer to the Status column in the affected systems table. Possible values are: None, Pending, Picked Up, Completed, and Failed. This column identifies only the last action related to a patch. For instance, if an action fails and you reschedule it, this column shows the status of the patch as pending with no mention of the previous failure. Clicking a status other than None takes you to the Action Details page. This column corresponds to one on the Patch tab of the System Details page.

4.3. Advanced Search

The Patches Search page allows you to search through patches by specific criteria.

Figure 4.2. Patches Search

Patches Search

  • All Fields — Search patches by synopsis, description, topic, or solution.

  • Patch Advisory — The SUSE security team codifies advisories in the following way:

    SUSE-RU-2011:0030

    Searches can be done by year (such as 2011), by type of advisory, or full advisory name as in the example above.

  • Package Name — Search particular packages by name:

    kernel

    Results will be grouped by advisory. For example, searching for 'kernel' returns all package names containing the string kernel, grouped by advisory.

  • CVE — The name assigned to the security advisory by the Common Vulnerabilities and Exposures (CVE) project at http://cve.mitre.org. For example:

    CVE-2006-4535

To filter patch search results, check or uncheck the boxes next to the type of advisory:

  • Bug Fix Advisory — Patches that fix issues reported by users or discovered during development or testing.

  • Security Advisory — Patches fixing a security issue found during development, testing, or reported by users or a software security clearing house. A security advisory usually has one or more CVE names associated with each vulnerability found in each package.

  • Product Enhancement Advisory — Patches providing new features, improving functionality, or enhancing performance of a package.

4.4. Manage Patches

Custom patches enable organizations to issue patch alerts for the packages in their custom channels, schedule deployment and manage patches across organizations.

[Warning]

If the organization is using both SUSE Manager and SUSE Manager Proxy, manage patches only on the SUSE Manager since the proxy servers receive updates directly from it. Managing patches on a proxy in this combined configuration risks putting your servers out of sync.

Patch management distinguishes between published and unpublished patches.

  • Published: displays the patch alerts the organization has created and disseminated. To edit an existing published patch, follow the steps described in Section 4.4.1, “Creating and Editing Patches”. To distribute the patch, click Send Notification on the top-right corner of the Patch Details page. The patch alert is sent to the administrators of all affected systems.

  • Unublished: displays the patch alerts your organization has created but not yet distributed. To edit an existing unpublished patch, follow the steps described in Section 4.4.1, “Creating and Editing Patches”. To publish the patch, click Publish Patch on the top-right corner of the Patch Details page. Confirm the channels associated with the patch and click the Publish Patch button, now in the lower-right corner. The patch alert is moved to the Published page awaiting distribution.

4.4.1. Creating and Editing Patches

To create a custom patch alert, proceed as follows:

  1. On the top navigation bar, click on Patches, then select Manage Patches on the left navigation bar. On the Patch Management page, click create new patch.

  2. Enter a label for the patch in the Advisory field, ideally following a naming convention adopted by your organization.

  3. Complete all remaining required fields, then click the Create Patch button. View standard SUSE Alerts for examples of properly completed fields.

SUSE Manager administrators can also create patches by cloning an existing one. Cloning preserves package associations and simplifies issuing patches. See Section 4.4.4, “Cloning Patches” for instructions.

To edit an existing patch alert's details, click its advisory on the Patch Management page, make the changes in the appropriate fields of the Details tab, and click the Update Patch button. Click on the Channels tab to alter the patch's channel association. Click on the Packages tab to view and modify its packages.

To delete patches, select their check boxes on the Patch Management page, click the Delete Patch button, and confirm the action. Note that deleting published patches might take a few minutes.

4.4.2. Assigning Packages to Patches

To assign packages to patches, proceed as follows:

  1. Select a patch, click on the Packages tab, then the Add subtab.

  2. To associate packages with the patch being edited, select the channel from the View drop-down menu that contains the packages and click View. Packages already associated with the patch being edited are not displayed. Selecting All managed packages presents all available packages.

  3. After clicking View, the package list for the selected option appears. Note that the page header still lists the patch being edited.

  4. In the list, select the check boxes of the packages to be assigned to the edited patch and click Add Packages at the bottom-right corner of the page.

  5. A confirmation page appears with the packages listed. Click Confirm to associate the packages with the patch. The List/Remove subtab of the Managed Patch Details page appears with the new packages listed.

Once packages are assigned to a patch, the patch cache is updated to reflect the changes. This update is delayed briefly so that users may finish editing a patch before all the changes are made available. To initiate the changes to the cache manually, follow the directions to commit the changes immediately at the top of the page.

4.4.3. Publishing Patches

After adding packages to the patch, the patch needs to be published to be disseminated to affected systems. Follow this procedure to publish patches:

  1. On the top navigation bar, click on Patches, then Manage Patches on the left navigation bar.

  2. Click on Publish Patch. A confirmation page appears that will ask you to select which channels you wish to make the patch available in. Choose the relevant channels.

  3. Click Publish Patch. The patch published will now appear on the Published page of Manage Patches.

4.4.4. Cloning Patches

Patches can be cloned for easy replication and distribution as part of SUSE Manager. Only patches potentially applicable to one of your channels can be cloned. Patches can be applicable to a channel if that channel was cloned from a channel to which the patch applies. To access this functionality, click Patches on the top navigation bar, then Clone Patches on the left navigation bar.

On the Clone Patches page, select the channel containing the patch from the View drop-down menu and click View. Once the patch list appears, select the check box of the patch to be cloned and click Clone Patch. A confirmation page appears with the patch listed. Click Confirm to finish cloning.

The cloned patch appears in the Unpublished patch list. Verify the patch text and the packages associated with that patch, then publish the patch so it is available to users in your organization.

Chapter 5. Channels

If you click the Channels tab on the top navigation bar, the Channels category and links appear. The pages in the Channels category enable you to view and manage the channels and packages associated with your systems.

5.1. Software Channels

The Software Channels page is the first to appear in the Channels category. A software channel provides packages grouped by products or applications to ease the selection of packages to be installed on a system.

There are two types of software channels: base channels and child channels.

5.1.1. Base Channels

A base channel consists of packages built for a specific architecture and release. For example, all of the packages in SUSE Linux Enterprise Server 11 for the x86_64 architecture make up a base channel. The list of packages in SUSE Linux Enterprise Server 11 for the i586 architecture make up a different base channel.

A system must be subscribed to only one base channel assigned automatically during registration based on the SUSE Linux Enterprise release and system architecture. In case of paid base channels, an associated entitlement must exist.

5.1.2. Child Channels

A child channel is associated with a base channel and provides extra packages. For instance, an organization can create a child channel associated with SUSE Linux Enterprise Server on i586 architecture that contains extra packages for a custom application.

A system can be subscribed to multiple child channels of its base channel. Only packages provided by a subscribed channel can be installed or updated. SUSE Manager customers have channel management authority. This authority gives them the ability to create and manage their own custom channels.

[Note]

Do not create child channels containing packages that are not compatible with the client system.

Channels can be further distinguished by relevance: All Channels, SUSE Channels, Popular Channels, My Channels, Shared Channels, and Retired Channels.

5.1.3. All Channels

Under Software Channels in the left navigation bar click All Channels to reach the page shown in Figure 5.1, “All Channels”. All channels available to your organization are listed. Links within this list go to different tabs of the Software Channel Details page. Clicking on a channel name takes you to the Details tab. Clicking on the number of packages takes you to the Packages tab. Clicking on the number of systems takes you to the Subscribed Systems tab. Refer to Section 5.1.9, “Software Channel Details” for details.

Figure 5.1. All Channels

All Channels

5.1.4. SUSE Channels

The SUSE Channels page displays the SUSE channels and their available child channels.

[Warning]SUSE Channels Cannot be Deleted

Once imported, SUSE channels cannot be deleted. Only custom software channels can be deleted.

5.1.5. Popular Channels

The Popular Channels page displays the software channels most subscribed by systems registered to your organization. You can refine the search by using the drop-down menu to list only the channels with at least a certain number of systems subscribed.

5.1.6. My Channels

The My Channels page displays all software channels that belong to your organization, including both SUSE and custom channels. Use the text box to filter by channel name.

5.1.7. Shared Channels

The Shared Channels page displays the channels shared with others in the organizational trust. For more information, refer to Section “Sharing Content Channels between Organizations in a Trust” (Chapter 5, Managing Multiple Organizations, ↑Reference Guide).

5.1.8. Retired Channels

The Retired Channels page displays available channels that have reached their end-of-life dates and do not receive updates.

5.1.9. Software Channel Details

If you click on the name of a channel, the Software Channel Details page appears. Here the following tabs are available:

5.1.9.1. Software Channel Details > Details

General information about the channel and its parent if applicable. This summary, description, and architecture is also displayed when clicking on a channel.

[Mgmt] — In addition, Per-User Subscription Restrictions can be set globally by SUSE Manager administrators and channel administrators. By default, any user can subscribe channels to a system. To manage user permissions, select Only selected users within your organization may subscribe to this channel and click Update. The Subscribers tab appears. Click on it to grant specific users subscription permissions to a channel. SUSE Manager administrators and channel administrators can always subscribe any channels to a system.

[Mgmt] — Only customers with custom base channels can change their systems' base channel assignments via the SUSE Manager Web interface in two ways:

  • Assign the system to a custom base channel.

  • Revert subscriptions from a custom base channel to the appropriate distribution-based base channel.

[Note]

The assigned base channel must match the installed system. For example, a system running SUSE Linux Enterprise 10 for i586 cannot be registered to a SUSE Linux Enterprise 11 for i586 base channel. Use the file /etc/SuSE-release to check your product, architecture, version, and patch level.

5.1.9.2. Software Channel Details > Managers

On the Managers page, you can check which users are authorized to manage the selected channel. Real name and email address are listed with the user names. Organization and Channel administrators can manage any channel. As a SUSE Manager administrator you can change roles for specific users by clicking on the name. For more information on user management and the User Details page, see Chapter 10, Users — [Mgmt].

5.1.9.3. Software Channel Details > Patches

This page lists patches to be applied to packages provided in the channel. The list displays advisory types, names, summaries, and issue dates. Clicking on an advisory name takes you to its Patch Details page. Refer to Section 4.2.2, “Patch Details” for more information.

5.1.9.4. Software Channel Details > Packages

This page lists packages in the channel. Clicking on a package name takes you to the Package Details page. This page displays a set of tabs with information about the package, including architectures on which it runs, the package size, build date, package dependencies, change log, list of files in the package, newer versions, and which systems have the package installed. Download the packages as RPMs.

To search for a specific package or a subset of packages, use the package filter at the top of the list. Enter a substring to search for package names containing the string. For example, typing ks in the filter might return: ksconfig, krb5-workstation, and links. The filter is case-insensitive.

5.1.9.5. Software Channel Details > Subscribed Systems

The list displays system names, base channels, and their levels of entitlement. Clicking on a system name takes you to its System Details page. Refer to Section 3.2.14, “System Details” for more information.

[Mgmt] — In case of a child channel, you have the option to unsubscribe systems from this channel. Use the check boxes to select the systems, then click the Unsubscribe button.

5.1.9.6. Software Channel Details > Target Systems

List of entitled systems eligible for subscription to the channel. This tab appears only for child channels. Use the check boxes to select the systems, then click the Confirm and Subscribe button on the bottom right-hand corner. You will receive a success message or be notified of any errors. This can also be accomplished through the Channels tab of the System Details page. Refer to Section 3.2.14, “System Details” for more information.

5.2. Package Search

Figure 5.2. Package Search

Package Search

The Package Search page allows you to search through packages using various criteria (provided by the What to search for selection list):

  • Free Form — a general keyword search useful when the details of a particular package and its contents are unknown.

  • Name Only — Targeted search to find a specific package known by name.

  • Name and Summary — Search for a package or program which might not show up in the respective package name but in its one-line summary.

  • Name and Description — Search package names and their descriptions. Search results for web browser include both graphical and text-based browsers.

The Free Form field additionally allows you to search using field names that you prepend to search queries and filter results by that field keyword.

For example, if you wanted to search all of the SUSE Linux Enterprise packages for the word java in the description and summary, type the following in the Free Form field:

summary:java  and description:java

Other supported field names include:

  • name: search package names for a particular keyword,

  • version: search for a particular package version,

  • filename: search the package filenames for a particular keyword,

  • description: search the packages' detailed descriptions for a particular keyword,

  • summary: search the packages' brief summary for a particular keyword,

  • arch: search the packages by their architecture (such as i586, x86_64, or s390).

You can also limit searches to Channels relevant to your systems by clicking the check box. Additionally, you can restrict your search by platform or architecture.

5.3. Manage Software Channels

This tab allows administrators to create, clone, and delete custom channels. These channels may contain altered versions of distribution-based channels or custom packages.

5.3.1. Manage Software Channels > Channel Details

The default screen of the Manage Software Channels tab lists all available channels including custom, distribution-based, and child channels.

To clone an existing channel, click the clone channels link. Select the channel to be cloned from the drop-down menu, select whether to clone the current state (including patches) or the original state (without patches). You can also select specific patches to use for cloning. Then click the Create Channel button. In the next screen select options for the new channel, including base architecture and GPG, then click Create Channel.

To create a new channel, click the create new channel link. Select the appropriate options for the new channel, including base architecture and GPG options, then click Create Channel. Note that a channel created in this manner is blank, containing no packages. You must either upload software packages or add packages from other repositories. You may also choose to include patches in your custom channel.

5.3.1.1. Manage Software Channels > Channel Details > Details

This screen lists the selections made during channel creation and includes the Globally Subscribable check box that permits all users to subscribe systems to the channel.

5.3.1.2. Manage Software Channels > Channel Details > Managers

SUSE Manager administrators and channel administrators may alter or delete any channel. To grant other users rights to alter or delete this channel, check the box next to the user's name and click Update.

To allow all users to manage the channel, click the Select All button at the bottom of the list then click Update. To remove a user's right to manage the channel, uncheck the box next to their name and click Update.

5.3.1.3. Manage Software Channels > Channel Details > Patches

Channel managers can list, remove, clone, and add patches to their custom channel. Custom channels not cloned from a distribution may not contain patches until packages are available. Only patches that match the base architecture and apply to a package in that channel may be added. Finally, only cloned or custom patches may be added to custom channels. Patches may be included in a cloned channel if they are selected during channel creation.

The Sync tab lists patches that were updated since they were originally cloned in the selected cloned channel. More specifically, a patch is listed here if and only if:

  • it is a cloned patch,

  • it belongs to the selected cloned channel,

  • it has already been published in the selected cloned channel,

  • it does not contain a package that the original patch has, or it has at least one package with a different version with respect to the corresponding one in the original patch, or both.

Clicking on the "Sync Patches" button opens a confirmation page in which a subset of those patches can be selected for synchronization. Clicking on the "Confirm" button in the confirmation page results in such patches being copied over from the original channel to the cloned channel, thus updating corresponding packages.

5.3.1.4. Manage Software Channels > Channel Details > Packages

As with patches, administrators can list, remove, compare, and add packages to a custom channel.

To list all packages in the channel, click the List / Remove Packages link. Check the box to the left of any package you wish to remove, then click Remove Packages.

To add packages, click the Add Packages link. From the drop down menu choose a channel from which to add packages and click View to continue. Check the box to the left of any package you wish to add to the custom channel, then click Add Packages.

To compare packages in the current channel with those in another, select that channel from the drop-down menu and click Compare. Packages in both channels are compared, including architecture and version. The results are displayed on the next screen.

To make the two channels identical, click the Merge Differences button. In the next dialog, resolve any conflicts. Preview Merge allows you to review the changes before applying them to the channels. Select those packages that you wish to merge. Click Merge Packages then Confirm to perform the merge.

5.3.1.5. Manage Software Channels > Channel Details > Repositories

On the Repositories page, assign software repositories to the channel and synchronize repository content:

  • Add/Remove lists configured repositories, which can be added and removed by selecting the check box next to the repository name and clicking Update Repositories.

  • Sync lists configured repositories. The synchronization schedule can be set using the drop-down boxes, or an immediate synchronization can be performed by clicking Sync Now.

The Manage Repositories tab to the left shows all assigned repositories. Click on a name to see details and possibly delete a repository.

5.3.2. Manage Software Channels > Manage Software Packages

To manage custom software packages, list all software or view only packages in a custom channel. Select the respective channel from the drop-down menu and click View Packages.

5.3.3. Manage Software Channels > Manage Repositories

Add or manage custom or third-party package repositories and link the repositories to an existing channel. The repositories feature currently supports repomd repositories.

To create a new repository click the create new repository link at the top right of the Manage Repositories page. The Create Repository screen prompts you to enter a Repository Label such as sles-11-x86_64 and a Repository URL. You may enter URLs pointing to mirror lists or direct download repositories, then click Create Repository.

To link the new repository to an existing software channel, select Manage Software Channels from the left menu, then click the channel you want to link. In the channel's Detail page, click the Repositories subtab, then check the box next to the repository you want to link to the channel. Click Update Repositories.

To synchronize packages from a custom repository to your channel, click the Sync link from the channel's Repositories subtab, and confirm by clicking the Sync button.

You can also perform a sync via command-line by using the spacewalk-repo-sync command, which additionally allows you to accept keys.

In previous versions, every spacewalk-repo-sync created a new log file in the /etc/sysconfig/rhn/reposync directory. SUSE Manager 2.1 uses one log file per channel and reuses it with the next sync run. If you like, manually remove the obsolete file /etc/sysconfig/rhn/reposync and the last log files with a time stamp from /var/log/rhn/reposync/.

Chapter 6. Audit

Select the Audit tab from the top navigation bar to audit your managed systems.

6.1. CVE Audit

The CVE Audit page will display a list of client systems with their patch status regarding a given CVE (Common Vulnerabilities and Exposures) number.

Figure 6.1. CVE Audit

CVE Audit

6.1.1. Normal Usage

Proceed as follows if you want to verify that a client system has received a given CVE patch:

  1. Make sure that the CVE data is up-to-date. For more information, see Section 6.1.3, “Maintaining CVE Data”.

  2. Click the Audit tab to open the CVE Audit page.

  3. Input a 13-char CVE identifier in the CVE Number field. The year setting will be automatically adjusted. Alternatively, set the year manually and add the last four digits.

  4. Optionally, uncheck the patch statuses you are not interested in.

  5. Click Audit systems.

Then a list of client systems is displayed, where each system comes with a Patch Status describing its situation regarding the given CVE identifier. Possible statuses are:

[red] Affected, patches are available in channels that are not assigned:

The system is affected by the vulnerability and SUSE Manager has one or more patches for it, but at this moment, the channels offering the patches are not assigned to the system.

[orange] Affected, at least one patch available in an assigned channel:

The system is affected by the vulnerability, SUSE Manager has at least one patch for it in a channel that is directly assigned to the system.

[grey] Not affected:

The system does not have any packages installed that are patchable.

[green] Patched:

A patch has already been installed.

  • More than one patch might be needed to fix a certain vulnerability.

  • The [orange] state is displayed as soon as SUSE Manager has at least one patch in an assigned channel. This might mean that, after installing such patch, others might be needed—users should double check the CVE Audit page after applying a patch to be sure that their systems are not affected anymore.

For a more precise definitions of these states, see Section 6.1.4, “Tips and Background Information”.

[Note]Unknown CVE Number

If the CVE number is not known to SUSE Manager, an error message is displayed because SUSE Manager is unable to collect and display any audit data.

For each system, the Next Action column contains suggestions on the steps to take in order to address the vulnerabilities. Under these circumstances it is either sensible to install a certain patch or assign a new channel. If applicable, a list of candidate channels or patches is displayed for your convenience.

You can also assign systems to a System Set for further batch processing.

6.1.2. API Usage

An API method called audit.listSystemsByPatchStatus is available to run CVE audits from custom scripts. Details on how to use it are available in the API guide.

6.1.3. Maintaining CVE Data

To produce correct results, CVE Audit must periodically refresh the data needed for the search in the background. By default, the refresh is scheduled at 11:00 PM every night. It is recommended to run such a refresh right after the SUSE Manager installation to get proper results immediately instead of waiting until the next day.

  1. In the Web interface, click the Admin tab.

  2. Click Task schedules in the left menu.

  3. Click the cve-server-channels-default schedule link.

  4. Click the cve-server-channels-bunch link.

  5. Click the Single Run Schedule button.

  6. After some minutes, refresh the page and check that the scheduled run status is FINISHED.

A direct link is also available in the CVE Audit tab.

6.1.4. Tips and Background Information

Audit results are only correct if the assignment of channels to systems did not change since the last scheduled refresh (normally at 11:00 PM every night). If a CVE audit is needed and channels were assigned or unassigned to any system during the day, a manual run is recommended. For more information, see Section 6.1.3, “Maintaining CVE Data”.

Systems are called affected, not affected or patched not in an absolute sense, but based on information available to SUSE Manager. This implies that concepts such as being affected by a vulnerability have particular meanings in this context. The following definitions apply:

System affected by a certain vulnerability:

A system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability.

System not affected by a certain vulnerability:

A system which has no installed package that is also in a relevant patch marked for the vulnerability.

System patched for a certain vulnerability:

A system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability.

Relevant patch:

A patch known by SUSE Manager in a relevant channel.

Relevant channel:

A channel managed by SUSE Manager, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.

A notable consequence of the above definitions is that results can be incorrect in cases of unmanaged channels, unmanaged packages, or non-compliant systems.

6.2. OpenSCAP

If you click the OpenSCAP tab on the left navigation bar, an overview of the OpenSCAP Scans appears. SCAP (Security Content Automation Protocol) is a framework to maintain the security of enterprise systems. It mainly performs the following tasks:

  • automatically verifies the presence of patches,

  • checks system security configuration settings,

  • examines systems for signs of compromise.

For a description of the Web interface dialogs, see Section 7.5, “OpenSCAP SUSE Manager Web Interface”.

For instructions and tips on how to best use OpenSCAP with SUSE Manager, refer to Chapter 7, System Security via OpenSCAP. To learn more about OpenSCAP check out the project homepage at http://open-scap.org.

Chapter 7. System Security via OpenSCAP

The Security Certification and Authorization Package (SCAP) is a standardized compliance checking solution for enterprise-level Linux infrastructures. It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for enterprise systems.

SUSE Manager 1.7 and later use OpenSCAP to implement the SCAP specifications. OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists. It also combines with other specifications such as Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), and Open Vulnerability and Assessment Language (OVAL), to create a SCAP-expressed checklist that can be processed by SCAP-validated products.

7.1. OpenSCAP Features

OpenSCAP verifies the presence of patches by using content produced by the SUSE Security Team (https://www.suse.com/support/security/), checks system security configuration settings and examines systems for signs of compromise by using rules based on standards and specifications.

To effectively use OpenSCAP, the following must be available:

A tool to verify a system confirms to a standard

SUSE Manager 1.7 and later use OpenSCAP as an auditing feature. It allows you to schedule and view compliance scans for any system.

SCAP content

SCAP content files defining the test rules can be created from scratch if you understand at least XCCDF or OVAL. XCCDF content is also frequently published online under open source licenses and this content can be customized to suit your needs.

The openscap-content package provides default content guidance for systems via a template.

[Note]

SUSE supports the use of templates to evaluate your systems. However, you are creating custom content at your own risk.

SCAP was created to provide a standardized approach to maintaining system security, and the standards that are used will therefore continually change to meet the needs of the community and enterprise businesses. New specifications are governed by NIST's SCAP Release cycle in order to provide a consistent and repeatable revision work flow. For more information, see http://scap.nist.gov/timeline.html.

7.2. Prerequisites for Using OpenSCAP in SUSE Manager

The following sections describe the server and client prerequisites for using OpenSCAP.

Package Requirements

As Server: SUSE Manager 1.7 or later.

For the Client: spacewalk-oscap package (available from the SUSE Manager Tools Child Channel).

Entitlement Requirements

A Management entitlement is required for scheduling scans.

Other Requirements

Client: Distribution of the XCCDF content to all client machines.

You can distribute XCCDF content to client machines using any of the following methods:

  • Traditional Methods (CD, USB, NFS, scp, ftp)

  • SUSE Manager Scripts

  • RPMs

Custom RPMs are the recommended way to distribute SCAP content to other machines. RPM packages can be signed and verified to ensure their integrity. Installation, removal, and verification of RPM packages can be managed from the user interface.

7.3. Performing Audit Scans

OpenSCAP integration in SUSE Manager provides the ability to perform audit scans on client systems. This section describes the available scanning methods.

Procedure 7.1. Scans via the Web Interface

  1. To perform a scan via the Web interface, log in to SUSE Manager.

  2. Click on Systems and select the target system.

  3. Click on Audit+Schedule.

  4. Fill in the Schedule New XCCDF Scan form. See Section 7.5.2.3, “Schedule Page” for more information about the fields on this page.

    [Warning]

    The XCCDF content is validated before it is run on the remote system. Specifying invalid arguments can make spacewalk-oscap fail to validate or run. Due to security concerns the oscap xccdf eval command only accepts a limited set of parameters.

    Run the mgr_check command to ensure the action is being picked up by the client system.

    mgr_check -vv
    [Note]

    If the SUSE Manager daemon (rhnsd) or osad are running on the client system, the action will be picked up by these services. To check if they are running, use:

    service rhnsd start

    or

    service osad start

To view the results of the scan, refer to Section 7.4, “Viewing SCAP Results”.

Figure 7.1. Scheduling a Scan via the Web Interface

Scheduling a Scan via the Web Interface

Procedure 7.2. Scans via API

  1. To perform an audit scan via API, choose an existing script or create a script for scheduling a system scan through system.scap.scheduleXccdfScan, the front end API, for example:

    #!/usr/bin/python
    client = xmlrpclib.Server('https://spacewalk.example.com/rpc/api')
    key = client.auth.login('username', 'password')
    client.system.scap.scheduleXccdfScan(key, 1000010001,
        '/usr/local/share/scap/usgcb-sled11desktop-xccdf.xml',
        '--profile united_states_government_configuration_baseline')

    Where:

    • 1000010001 is the system ID (sid).

    • /usr/local/share/scap/usgcb-sled11desktop-xccdf.xml is the path to the content location on the client system. In this case, it assumes USGCB content in the /usr/local/share/scap directory.

    • --profile united_states_government_configuration_baseline is an additional argument for the oscap command. In this case, it is using the USGCB.

  2. Run the script on the command-line interface of any system. The system needs the appropriate Python and XML-RPC libraries installed.

  3. Run the mgr_check command to ensure that the action is being picked up by the client system.

    mgr_check -vv

    If the SUSE Manager daemon (rhnsd) or osad are running on the client system, the action will be picked up by these services. To check if they are running, use:

    service rhnsd start

    or

    service osad start
[Note]Enabling Upload of Detailed SCAP Files

To make sure detailed information about the scan will be available, activate the upload of detailed SCAP files on the clients to be evaluated. On the Admin page, click on Organization and select one. Click on the Configuration tab and check Enable Upload Of Detailed SCAP Files. This feature generates an additional HTML version when you run a scan. The results will show an extra line like: Detailed Results: xccdf-report.html xccdf-results.xml scap-yast2sec-oval.xml.result.xml.

7.4. Viewing SCAP Results

There are three methods of viewing the results of finished scans:

  • Via the Web interface. Once the scan has finished, the results should show up on the Audit tab of a specific system. This page is discussed in Section 7.5, “OpenSCAP SUSE Manager Web Interface”.

  • Via the API functions in handler system.scap.

  • Via the spacewalk-report command as follows:

    spacewalk-report system-history-scap
    spacewalk-report scap-scan
    spacewalk-report scap-scan-results
    

7.5. OpenSCAP SUSE Manager Web Interface

The following sections describe the tabs in the SUSE Manager Web interface that provide access to OpenSCAP and its features.

7.5.1. OpenSCAP Scans Page

Click the Audit tab on the top navigation bar, then OpenSCAP on the left. Here you can view, search for, and compare completed OpenSCAP scans.

7.5.1.1. OpenSCAP > All Scans

All Scans is the default page that appears on the Audit+OpenSCAP page. Here you see all the completed OpenSCAP scans you have permission to view. Permissions for scans are derived from system permissions.

For each scan, the following information is displayed:

System:

the scanned system.

XCCDF Profile:

the evaluated profile.

Completed:

time of completion.

Satisfied:

number of rules satisfied. A rule is considered to be satisfied if the result of the evaluation is either Pass or Fixed.

Dissatisfied:

number of rules that were not satisfied. A rule is considered Dissatisfied if the result of the evaluation is a Fail.

Unknown:

number of rules which failed to evaluate. A rule is considered to be Unknown if the result of the evaluation is an Error, Unknown or Not Checked.

The evaluation of XCCDF rules may also return status results like Informational, Not Applicable, or not Selected. In such cases, the given rule is not included in the statistics on this page. See System Details+Audit for information on these types of results.

7.5.1.2. OpenSCAP > XCCDF Diff

XCCDF Diff is an application that visualizes the comparison of two XCCDF scans. It shows metadata for two scans as well as the lists of results.

Click the appropriate icon on the Scans page to access the diff output of similar scans. Alternatively, specify the ID of scans you want to compare.

Items that show up in only one of the compared scans are considered to be "varying". Varying items are always highlighted in beige. There are three possible comparison modes:

Full Comparison

all the scanned items.

Only Changed Items:

items that have changed.

Only Invariant:

unchanged or similar items.

7.5.1.3. OpenSCAP > Advanced Search

Use the Advanced Search page to search through your scans according to specified criteria including:

  • rule results,

  • targeted machine,

  • time frame of the scan.

Figure 7.2. OpenSCAP Advanced Search

OpenSCAP Advanced Search

The search either returns a list of results or a list of scans, which are included in the results.

7.5.2. Systems Audit Page

To display a system's audit page, click Systems+system_name+Audit. Use this page to schedule and view compliance scans for a particular system. Scans are performed by the OpenSCAP tool, which implements NIST's standard Security Content Automation Protocol (SCAP). Before you scan a system, make sure that the SCAP content is prepared and all prerequisites in Section 7.2, “Prerequisites for Using OpenSCAP in SUSE Manager” are met.

7.5.2.1. List Scans

This subtab lists a summary of all scans completed on the system. The following columns are displayed:

XCCDF Test Result

The scan test result name, which provides a link to the detailed results of the scan.

Completed

The exact time the scan finished.

Compliance

The unweighted pass/fail ratio of compliance based on the Standard used.

P

Number of checks that passed.

F

Number of checks that failed.

E

Number of errors that occurred during the scan.

U

Unknown.

N

Not applicable to the machine.

K

Not checked.

S

Not Selected.

I

Informational.

X

Fixed.

Total

Total number of checks.

Each entry starts with an icon indicating the results of a comparison to a previous similar scan. The icons indicate the following:

  • "RHN List Checked" Icon — no difference between the compared scans.

  • "RHN List Alert" Icon — arbitrary differences between the compared scans.

  • "RHN List Error" Icon — major differences between the compared scans. Either there are more failures than the previous scan or less passes

  • "RHN List Check In" Icon — no comparable scan was found, therefore, no comparison was made.

To find out what has changed between two scans in more detail, select the ones you are interested in and click Compare Selected Scans. To delete scans that are no longer relevant, select those and click on Remove Selected Scans. Scan results can also be downloaded in CSV format.

7.5.2.2. Scan Details

The Scan Details page contains the results of a single scan. The page is divided into two sections:

Details of the XCCDF Scan

This section displays various details about the scan, including:

  • File System Path: the path to the XCCDF file used for the scan.

  • Command-line Arguments: any additional command-line arguments that were used.

  • Profile Identifier: the profile identifier used for the scan.

  • Profile Title: the title of the profile used for the scan.

  • Scan's Error output: any errors encountered during the scan.

XCCDF Rule Results

The rule results provide the full list of XCCDF rule identifiers, identifying tags, and the result for each of these rule checks. This list can be filtered by a specific result.

7.5.2.3. Schedule Page

Use the Schedule New XCCDF Scan page to schedule new scans for specific machines. Scans occur at the system's next scheduled check-in that occurs after the date and time specified. The following fields can be configured:

Command-line Arguments:

Optional arguments to the oscap command, either:

  • --profile PROFILE: Specifies a particular profile from the XCCDF document.

    Profiles are determined by the Profile tag in the XCCDF XML file. Use the oscap command to see a list of profiles within a given XCCDF file, for example:

    $ oscap info /usr/local/share/scap/dist_sles11_scap-sles11-oval.xml
    Document type: XCCDF Checklist
    Checklist version: 1.1
    Status: draft
    Generated: 2011-10-12
    Imported: 2012-11-15T22:10:41
    Resolved: false
    Profiles: SLES11-Default
    

    If not specified, the default profile is used. Some early versions of OpenSCAP in require that you use the --profile option or the scan will fail.

  • --skip-valid: Do not validate input and output files. You can use this option to bypass the file validation process if you do not have well-formed XCCDF content.

Path to XCCDF Document:

This is a required field. The path parameter points to the XCCDF content location on the client system. For example: /usr/local/scap/dist_rhel6_scap-rhel6-oval.xml

[Warning]

The XCCDF content is validated before it is run on the remote system. Specifying invalid arguments can cause spacewalk-oscap to fail to validate or run. Due to security concerns, the oscap xccdf eval command only accepts a limited set of parameters.

For information about how to schedule scans using the web interface, refer to Procedure 7.1, “Scans via the Web Interface”.

Chapter 8. Configuration

Only Configuration Administrators or SUSE Manager Administrators see the Configuration tab. In addition, they must have at least one Provisioning entitlement or the tab is not visible.

In this configuration portal, manage your configuration channels and files centrally or limited to a single system. Centrally-managed files are available to multiple systems; changes to a single file affect all these systems. Each system with a Provisioning entitlement has also a local configuration channel, sometimes referred to as an override channel, and a sandbox channel.

8.1. Preparing Systems for Config Management

To manage a system's configuration with SUSE Manager, it must have the appropriate tools and the config-enable file installed. These tools should be available if you installed the system with the configuration management functionality using AutoYaST or Kickstart. If not, they can be found in the Tools child channel for your distribution. Download and install the latest rhncfg* packages:

  • rhncfg — the base libraries and functions needed by all rhncfg-* packages,

  • rhncfg-actions — the RPM package required to run configuration actions scheduled via SUSE Manager,

  • rhncfg-client — the RPM package with a command line interface to the client features of the Configuration Management system,

  • rhncfg-management — the RPM package with a command line interface used to manage SUSE Manager configuration.

First, enable your system to schedule configuration actions via Actions Control. Enter the mgr-actions-control command, provided by the rhncfg-actions RPM, on the client system to enable or disable specific actions. Refer to Section “Actions Control (mgr-actions-control)” (Appendix A, Command Line Configuration Management Tools, ↑Reference Guide) for instructions.

8.2. Overview

The Configuration Overview shows all of the configuration files that are managed by your organization in SUSE Manager. This list includes files that are managed centrally in configuration channels and files that are managed locally via individual system profiles.

Configuration Summary

The panel provides quick information about your configuration files. Click on the blue text to the right to display relevant systems, channel details, or configuration files.

Configuration Actions

Configuration Actions offers direct access to the most common configuration management tasks. View or create files and channels or enable configuration management on your systems.

Recently Modified Configuration Files

The list shows which files have changed when and to which channel they belong. If no files have been changed, no list appears. Click on the name of a file to see its Details page. Click on the channel name to see its Channel Details page.

Recently Scheduled Configuration Deployments

Each scheduled action is listed along with the status of the action. Any scheduled configuration task, from enabling configuration management on a system to deploying a specific configuration file, is displayed. Here you can quickly assess if all tasks have been successfully carried out or fix any problems. Clicking on the blue text displays the System Details+Schedule page for the specified system.

8.3. Configuration Channels

As mentioned above, SUSE Manager manages both central and local configuration channels and files. Central configuration management allows you to deploy configuration files to multiple systems. Local configuration management allows you to specify overrides or configuration files that are not changed by subscribing the system to a central channel.

Central configuration channels must be created via the link on this page. Local configuration channels already exist for each system to which a Provisioning entitlement has been applied.

Click on the name of the configuration channel to see the details page for that channel. If you click on the number of files in the channel, you are taken to the List/Remove Files page of that channel. If you click on the number of systems subscribed to the configuration channel, you are taken to the Systems+Subscribed Systems page for that channel.

To create a new central configuration channel:

  1. Click the create new config channel link in the upper right of this screen.

  2. Enter a name for the channel.

  3. Enter a label for the channel. This field must contain only alphanumeric characters, "-", "_", and "."

  4. Enter a mandatory description for the channel that allows you to distinguish it from other channels. No character restrictions apply.

  5. Press the Create Config Channel button to create the new channel.

  6. The following page is a subset of the Channel Details page and has three subtabs: Overview, Add Files, and Systems. The Channel Details page is discussed in Section 8.3.1, “Configuration > Configuration Channels > Configuration Channel Details.

8.3.1. Configuration > Configuration Channels > Configuration Channel Details

Overview

This subtab is very similar to the Configuration Overview page. The Channel Information panel provides status information for the contents of the channel. The Configuration Actions panel provides access to the most common configuration tasks. The main difference is the Channel Properties panel. By clicking on the Edit Properties link, you can edit the name, label, and description of the channel.

List/Remove Files

This tab only appears if there are files in the configuration channel. You can remove files or copy the latest versions into a set of local overrides or into other central configuration channels. Check the box next to files you wish to manipulate and click the respective action button.

Add Files

The Add Files subtab has three subtabs of its own, which allow you to Upload, Import, or Create configuration files to be included in the channel.

Upload File

To upload a file into the configuration channel, browse for the file on your local system, populate all fields, and click the Upload Configuration File button. The Filename/Path field is the absolute path where the file will be deployed.

You can set the Ownership via the user name and group name as well as the Permissions of the file when it is deployed.

If the client has SELinux enabled, you can configure SELinux contexts to enable the required file attributes (such as user, role, and file type) that allow it to be used on the system.

If the configuration file includes a macro (a variable in a configuration file), enter the symbol that marks the beginning and end of the macro.

Import Files

To import files from other configuration channels, including any locally-managed channels, check the box to the left of any file you wish to import. Then press the Import Configuration File(s) button.

[Note]

A sandbox icon indicates that the listed file is currently located in a local sandbox channel. Files in a system's sandbox channel are considered experimental and could be unstable. Use caution when selecting them for a central configuration channel.

Create File

Create a configuration file, directory, or symbolic link from scratch to be included in the configuration channel.

First, choose whether you want to create a text file, directory, or symbolic link (symlink) in the File Type section. In the Filename/Path text input field, set the absolute path to where the file should be deployed. If you are creating a symlink, indicate the target file and path in the Symbolic Link Target Filename/Path input field.

Enter the User name and Group name for the file in the Ownership section, as well as the File Permissions Mode.

If the client has SELinux enabled, you can configure SELinux contexts to enable the required file attributes (such as user, role, and file type) that allow it to be used on the system.

If the configuration file includes a macro, enter the symbol that marks the beginning and end of the macro. Then enter the configuration file content in the File Contents field, using the script drop-down menu to choose the appropriate scripting language. Press the Create Configuration File button to create the new file.

Deploy Files

This subtab only appears when there are files in the channel. Deploy all files by clicking the Deploy All Files button or check selected files and click the Deploy Selected Files button. Select to which systems the file(s) should be applied. All systems subscribed to this channel are listed. If you wish to apply the file to a different system, subscribe it to the channel first. To deploy the files, press Confirm and Deploy to Selected Systems.

Systems

Manage systems subscribed to the configuration channel via two subtabs:

Subscribed Systems

All systems subscribed to the current channel are displayed. Click on the name of a system to see the System Details page.

Target Systems

This subtab displays a list of systems enabled for configuration management but not yet subscribed to the channel. To add a system to the configuration channel, check the box to the left of the system's name and press the Subscribe System button.

8.4. Configuration Files

This tab allows you to manage your configuration files independently. Both centrally-managed and locally-managed files can be reached from subtabs.

[Note]

By default, the maximum file size for configuration files is 128KB (131072 bytes). If you need to change that value, check web.maximum_config_file_size in the /usr/share/rhn/config-defaults/rhn_web.conf file, and then set it in /etc/rhn/rhn.conf to the desired value. SUSE supports a configuration file size up to 1MB; larger values are not guaranteed to work.

You must also check server.maximum_config_file_size in the /usr/share/rhn/config-defaults/rhn_server.conf file and set it in /etc/rhn/rhn.conf to the same value as web.maximum_config_file_size.

Change the value of both the variables to the desired value in bytes in /etc/rhn/rhn.conf, e.g.:

server.maximum_config_file_size=262144
web.maximum_config_file_size=262144

8.4.1. Centrally-managed Files

Centrally-managed files are available to multiple systems. Changing a file within a centrally-managed channel may result in changes to several systems.

This page lists all files currently stored in your central configuration channel. Click on the Path of a file to see its Configuration File Details page. Click the name of the configuration channel to see its Channel Details page. Clicking on the number of systems shows you all systems currently subscribed to the channel containing that file. Click on the number of overriding systems to see all systems that have a local (or override) version of the configuration file. The centrally-managed file will not be deployed to those systems.

8.4.2. Locally-Managed Files

Locally-managed configuration files apply to only one system. They may be files in the system's sandbox or files that can be deployed to the system at any time. Local files have higher priority than centrally-managed files. If a system is subscribed to a configuration channel with a given file and also has a locally-managed version of that file, the locally-managed version will be deployed.

The list of all local (override) configuration files for your systems includes the local configuration channels and the sandbox channel for each Provisioning-entitled system.

Click the Path of the file to see its Config File Details. Click the name of the system to which it belongs to see its System Details+Configuration+Overview page.

8.4.3. Including Macros in your Configuration Files

Being able to store one file and share identical configurations is useful, but what if you have many variations of the same configuration file? What do you do if you have configuration files that differ only in system-specific details, such as host name and MAC address?

Traditional file management would require to upload and distribute each file separately, even if the distinction is nominal and the number of variations is in the hundreds or thousands. SUSE Manager addresses this by allowing the inclusion of macros, or variables, within the configuration files it manages for Provisioning-entitled systems. In addition to variables for custom system information, the following standard macros are supported:

  • rhn.system.sid

  • rhn.system.profile_name

  • rhn.system.description

  • rhn.system.hostname

  • rhn.system.ip_address

  • rhn.system.custom_info(key_name)

  • rhn.system.net_interface.ip_address(eth_device)

  • rhn.system.net_interface.netmask(eth_device)

  • rhn.system.net_interface.broadcast(eth_device)

  • rhn.system.net_interface.hardware_address(eth_device)

  • rhn.system.net_interface.driver_module(eth_device)

To use this powerful feature, either upload or create a configuration file via the Configuration Channel Details page. Then open its Configuration File Details page and include the supported macros of your choice. Ensure that the delimiters used to offset your variables match those set in the Macro Start Delimiter and Macro End Delimiter fields and do not conflict with other characters in the file. We recommend that the delimiters be two characters in length and must not contain the percent (%) symbol.

For example, you may have a file applicable to all of your servers that differs only in IP address and host name. Rather than manage a separate configuration file for each server, you may create a single file, such as server.conf, with the IP address and host name macros included.

hostname={| rhn.system.hostname |}
ip_address={| rhn.system.net_interface.ip_address(eth0) |}

Upon delivery of the file to individual systems, whether through a scheduled action in the SUSE Manager Web interface or at the command line with the SUSE Manager Configuration Client (mgrcfg-client), the variables will be replaced with the host name and IP address of the system as recorded in SUSE Manager's system profile. In the above example configuration file the deployed version resembles the following:

hostname=test.example.domain.com
ip_address=177.18.54.7

To capture custom system information, insert the key label into the custom information macro (rhn.system.custom_info). For instance, if you developed a key labeled "asset" you can add it to the custom information macro in a configuration file to have the value substituted on any system containing it. The macro would look like this:

asset={@ rhn.system.custom_info(asset) @}

When the file is deployed to a system containing a value for that key, the macro gets translated, resulting in a string similar to the following:

asset=Example#456

To include a default value, for instance if one is required to prevent errors, you can append it to the custom information macro, like this:

asset={@ rhn.system.custom_info(asset) = 'Asset #' @}

This default is overridden by the value on any system containing it.

Using the SUSE Manager Configuration Manager (mgrcfg-manager) will not translate or alter files, as this tool is system agnostic. mgrcfg-manager does not depend on system settings. Binary files cannot be interpolated.

8.5. Systems

This page displays status information about your system in relation to configuration. There are two subtabs: Managed Systems and Target Systems.

8.5.1. Managed Systems

By default the Configuration+Systems page is displayed. The listed systems have been fully prepared for configuration file deployment. The number of local and centrally-managed files is displayed. Clicking the name of a system shows its System Details+Configuration+Overview page. Clicking on the number of local files takes you to the System Details+Configuration+View/Modify Files+Locally-Managed Files page, where you manage which local (override) files apply to the system. Clicking on the number of centrally-managed files takes you to the System Details+Configuration+Manage Configuration Channels+List/Unsubscribe from Channels page. Here you unsubscribe from any channels you wish.

8.5.2. Target Systems

Here you see the systems either not prepared for configuration file deployment or not yet subscribed to a configuration channel. The table has three columns. The first identifies the system name, the second shows whether the system is prepared for configuration file deployment, and the third lists the steps necessary to prepare the system. To prepare a system, check the box to the left of the profile name then press the Enable SUSE Manager Configuration Management button. All of the preparatory steps that can be automatically performed are scheduled by SUSE Manager.

[Note]

You will have to perform some manual tasks to enable configuration file deployment. Follow the on-screen instructions provided to assist with each step.

Chapter 9. Schedule

If you click the Schedule tab on the top navigation bar, the Schedule category and links appear. These pages enable you to track the actions carried out on your systems. An action is a scheduled task to be performed on one or more client systems. For example, an action can be scheduled to apply all patches to a system. Actions can also be grouped into action chains to schedule them at the same time in a particular order, for example to reboot a system after deploying patches.

SUSE Manager keeps track of the following action types:

  1. package alteration (installation, upgrade, and removal),

  2. rollback package actions,

  3. system reboots,

  4. patch application,

  5. configuration file alteration (deploy, upload, and diff),

  6. hardware profile updates,

  7. package list profile updates,

  8. automated installation initiation,

  9. service pack migrations,

  10. remote commands.

Each page in the Schedule category represents an action status.

9.1. Pending Actions

As shown in Figure 9.1, “Schedule - Pending Actions”, the Pending Actions page appears by default when clicking Schedule in the top navigation bar. It displays actions not yet started or still in progress.

Figure 9.1. Schedule - Pending Actions

Schedule - Pending Actions

9.2. Failed Actions

Sometimes actions cannot be completed. If the action returns an error, it is displayed here.

9.3. Completed Actions

List of actions successfully carried out.

9.4. Archived Actions

If you selected actions to store for review, they are displayed here and can be deleted.

9.5. Action Chains

All created action chains are displayed here and can be deleted or modified by clicking on the chain name. In the top right corner is the delete action chain link. To add actions to the selected chain, choose from the links at the top, leading to various 'chainable' actions: installing or upgrading packages, running a remote command and deploying a configuration file. Additionally, packages can be removed or verified, patches applied and systems rebooted via action chains.

For all these operations, the action can either be scheduled for a certain date and time or added to an action chain. To create a new one, configure the first action (e.g. running a remote command), then select Add to Action Chain instead of Schedule no sooner than:. Click on the drop-down menu, enter a name, and click Schedule to save the chain. Then proceed to the next action and add it to the new chain.

An action chain can be executed on all the systems it applies to. If more than one action applies to the same system, corresponding supported operations will be executed sequentially in action chain order. If a supported operation fails on a system, no further supported operations will be executed on that system.

[Note]

SUSE Manager does not enforce ordering across different systems.

Action chains can be edited via the Schedule+Action Chains page. Click on a chain name to see the actions in the order they will be performed. The following tasks can be carried out here:

  • Changing the order by dragging the respective action to the right position and dropping it.

  • Deleting actions from the chain by clicking on the delete action link.

  • Inspecting the list of systems on which an action is run by clicking on the + sign.

  • Deleting a single system from an action by clicking on the delete system link.

  • Deleting the complete chain with the delete action chain link in the top-left corner.

  • Changing the action chain label by clicking on it.

  • Scheduling the action chain for execution after a certain date by clicking on the Save and Schedule button.

[Note]

Note that if you leave the page without clicking on either Save or Save and Schedule all unsaved changes will be discarded. In this case, a confirmation dialog will pop up.

Currently you cannot add an action to an action chain from the Edit page. Once a Chain is scheduled, the actions it contains will be displayed under Schedule on the appropriate pages: Pending Actions, Failed Actions or Completed Actions, depending on the status. If one action fails on a system no other actions from the same chain will be executed on that systems. Due to technical limitations it is not possible to reuse Action Chains

9.6. Actions List

On each action page, each row in the list represents a single scheduled event or action that might affect multiple systems and involve various packages. The list contains several columns of information:

  • Filter by Action — Enter a term to filter the listed actions or use the check boxes in this column to select actions. Then either add them to your selection list or archive them by clicking Archive Actions. If you archive a pending action, it is not canceled, but the action item moves from the Pending Actions list to the Archived Actions list.

  • Action — Type of action to perform such as Patches or Package Install. Clicking an action name shows its Action Details page. Refer to Section 9.6.1, “Action Details” for more information.

  • Scheduled Time — The earliest day and time the action will be performed.

  • Succeeded — Number of systems on which this action was successfully carried out.

  • Failed — Number of systems on which this action has been tried and failed.

  • In Progress — Number of systems on which this action is taking place.

  • Total — Total number of systems on which this action has been scheduled.

9.6.1. Action Details

If you click on the name of an action, the Action Details page appears. This page is split into the following tabs:

9.6.1.1. Action Details > Details

General information about the action. This is the first tab you see when you click on an action. It displays the action type, scheduling administrator, earliest execution, and notes. Clicking the Patch Advisory takes you to the Patch Details page. The Patch Advisory appears only if the action is a patch. Refer to Section 4.2.2, “Patch Details” for more information.

9.6.1.2. Action Details > Completed Systems

List of systems on which the action has been successfully performed. Clicking a system name displays its System Details page. Refer to Section 3.2.14, “System Details” for more information.

9.6.1.3. Action Details > In Progress Systems

List of systems on which the action is now being carried out. To cancel an action, select the system by marking the appropriate check box and click the Unschedule Action button. Clicking a system name shows its System Details page. Refer to Section 3.2.14, “System Details” for more information.

9.6.1.4. Action Details > Failed Systems

List of systems on which the action has failed. It can be rescheduled here. Clicking a system name takes you to its System Details page. Refer to Section 3.2.14, “System Details” for more information.

Chapter 10. Users — [Mgmt]

Only SUSE Manager administrators can see the Users tab on the top navigation bar. If you click the tab, the Users category and links appear. Here you grant and edit permissions for those who administer your system groups. Click on a name in the User List to modify the user.

To add new users to your organization, click the create new user link on the top right corner of the page. On the Create User page, fill in the required values for the new user.

Once all fields are completed, click the Create Login button. SUSE Manager now sends an email to the specified address and takes you back to the Users+User List+Active page. If you wish to set permissions and options for the new user, click on the name in the list. The User Details page for this user provides several subtabs of options. Refer to Section 10.1.1, “User List > Active > User Details — [Mgmt]” for detailed descriptions of each subtab.

10.1. User List > Active — [Mgmt]

The user list shows all active users on your SUSE Manager and displays basic information about each user: username, real name, roles, and date of their last sign in.

As shown in Figure 10.1, “User List”, each row in the User List represents a user within your organization. There are four columns of information for each user:

  • Username — The login name of the user. Clicking on a username, displays the User Details page for the user. Refer to Section 10.1.1, “User List > Active > User Details — [Mgmt]” for more information.

  • Real Name — The full name of the user (last name first).

  • Roles — List of the user's privileges, such as organization administrator, channel administrator and normal user. Users can have multiple roles.

  • Last Sign In — Shows when the user last logged in to SUSE Manager.

Figure 10.1. User List

User List

10.1.1. User List > Active > User Details — [Mgmt]

On the User Details page SUSE Manager, administrators manage the permissions and activity of all users. Here you can also delete or deactivate users.

Users can be deactivated directly in the SUSE Manager Web interface. SUSE Manager administrators can deactivate or delete users of their organization, but users can also deactivate their own accounts.

Deactivated users cannot log in to the SUSE Manager Web interface or schedule any actions. SUSE Manager administrators cannot be deactivated until that role is removed from their account. Actions scheduled by a user prior to their deactivation remain in the action queue. Deactivated users can be reactivated by SUSE Manager administrators.

[Warning]Irreversible Deletion

User deletion is irreversible; exercise it with caution. Consider deactivating the user first in order to assess the effect deletion will have on your infrastructure.

To deactivate a user:

  1. Click on a user name to navigate to the User Details tab.

  2. Verify that the user is not a SUSE Manager administrator. If they are, uncheck the box to the left of that role and click the Submit button.

  3. Click the deactivate user link in the upper right of the screen.

  4. Click the Deactivate User button in the lower right to confirm.

To delete a user:

  1. Click on a user name to navigate to the User Details tab.

  2. Verify that the user is not a SUSE Manager administrator. Uncheck the box to remove the role if necessary.

  3. Click the delete user link in the upper right.

  4. Click the Delete User button to permanently delete the user.

For instructions to deactivate your own account, refer to Section 2.3.4, “Account Deactivation”.

10.1.1.1. User List > Active > User Details > Details — [Mgmt]

This is the default User Details tab, which displays the username, first name, last name, email address, and roles of a user. Edit this information as needed and click Update. When changing a user's password, you will only see asterisks as you type.

To delegate responsibilities within your organization, SUSE Manager provides several roles with varying degrees of access. This list describes the permissions of each role and the differences between them:

  • User — Also known as a System Group User, this is the standard role associated with any newly created user. This person may be granted access to manage system groups and software channels, if the SUSE Manager administrator sets the roles accordingly. The systems must be in system groups for which the user has permissions to manage them. However, all globally subscribable channels may be used by anyone.

  • Activation Key Administrator — This role is designed to manage your collection of activation keys. A user assigned to this role can modify and delete any key within your organization.

  • Channel Administrator — This role provides a user with full access to all software channels within your organization. This requires the SUSE Manager synchronization tool (mgr-ncc-sync). The channel administrator may change the base channels of systems, make channels globally subscribable, and create entirely new channels.

  • Organization Administrator — This role provides a user with all the permissions other administrators have, namely the activation key, configuration, monitoring, channel, and system group administrator.

  • Configuration Administrator — This role enables a user to manage the configuration of systems within the organization, using either the SUSE Manager Web interface or the rhncfg-management.

  • Monitoring Administrator — This role allows for the scheduling of probes and oversight of other monitoring infrastructure. This role is available only on a monitoring-enabled SUSE Manager server. Activate monitoring in Admin+SUSE Manager Configuration+General and click on Enable Monitoring. See Chapter 11, Monitoring — [Mon] for more information.

  • SUSE Manager Administrator — This role allows a user to perform any function available in SUSE Manager. As the master account for your organization, the person holding this role can alter the privileges of all other accounts, as well as conduct any of the tasks available to the other roles. Like with other roles, multiple SUSE Manager administrators may exist. Go to Admin+Users and click the check box in the SUSE Manager Admin? row. SUSE Manager Administrator manages foreign organizations; for example, a SUSE Manager Administrator can only create users for an organization if he is entitled with organization administrator privileges for this organization.

  • System Group Administrator — This role is one step below SUSE Manager administrator: full authority is limited to systems or system groups to which access is granted. The System Group Administrator can create new system groups, delete any assigned systems from groups, add systems to groups, and manage user access to groups.

Being a SUSE Manager administrator enables you to remove administrator rights from other users. It is possible to remove your own privileges as long as you are not the only SUSE Manager administrator.

To assign a new role to a user, check the respective box. SUSE Manager administrators are automatically granted administration access to all other roles, signified by grayed-out check boxes. Click Submit to submit your changes.

10.1.1.2. User List > Active > User Details > System Groups — [Mgmt]

This tab displays a list of system groups the user may administer. SUSE Manager administrators can set this user's access permissions to each system group. Check or uncheck the box to the left of the system group and click the Update Permissions button to save the changes.

SUSE Manager administrators may select one or more default system groups for a user. When the user registers a system, it gets assigned to the selected group or groups. This allows the user to access the newly-registered system immediately. System groups to which this user has access are preceded by an (*).

10.1.1.3. User List > Active > User Details > Systems — [Mgmt]

This tab lists all systems a user can access according to the system groups assigned to the user. To carry out tasks on some of these systems, select the set of systems by checking the boxes to the left and click the Update List button. Use the System Set Manager page to execute actions on those systems. Clicking the name of a system takes you to its System Details page. Refer to Section 3.2.14, “System Details” for more information.

10.1.1.4. User List > Active > User Details > Channel Permissions — [Mgmt]

This tab lists all channels available to your organization. Grant explicit channel subscription permission to a user for each of the channels listed by checking the box to the left of the channel, then click the Update Permissions button. Permissions granted by a SUSE Manager administrator or channel administrator have no check box but a check icon just like globally subscribable channels.

10.1.1.4.1. User List > Active > User Details > Channel Permissions > Subscription — [Mgmt]

Identifies channels to which the user may subscribe systems. To change these, select or deselect the appropriate check boxes and click the Update Permissions button. Note that channels subscribable due to the user's administrator status or the channel's global settings cannot be altered. They are identified with a check icon.

10.1.1.4.2. User List > Active > User Details > Channel Permissions > Management — [Mgmt]

Identifies channels the user may manage. To change these, select or deselect the appropriate check boxes and click the Update Permissions button. The permission to manage channels does not enable the user to create new channels. Note that channels automatically manageable through the user's admin status cannot be altered. These channels are identified with a check icon. Remember, SUSE Manager administrators and channel administrators can subscribe to or manage any channel.

10.1.1.5. User List > Active > User Details > Preferences — [Mgmt]

Configure the following settings for the user:

  • Email Notifications: Determine whether this user should receive email every time a patch alert is applicable to one or more systems in his or her SUSE Manager account, as well as daily summaries of system events.

  • SUSE Manager List Page Size: Maximum number of items that appear in a list on a single page. If the list contains more items than can be displayed on one page, click the Next button to see the next page. This preference applies to the user's view of system lists, patch lists, package lists, and so on.

  • Overview Start Page: Configure which information to be displayed on the Overview page at login.

  • CSV Files: Select whether to use the default comma or a semicolon as separator in downloadable CSV files.

Change these options to fit your needs, then click the Save Preferences button. To change the time zone for this user, click on the Locale subtab and select from the drop-down menu. Dates and times, like system check-in times, will be displayed according to the selected time zone. Click Save Preferences for changes to take effect.

10.1.1.6. User List > Active > User Details > Addresses — [Mgmt]

This tab lists mailing addresses associated with the user's account. If there is no address specified yet, click Add this address and fill out the form. When finished, click Update. To modify this information, click the Edit this address link, change the relevant information, and click the Update button.

10.1.1.7. User List > Active > User Details > Notification Methods — [Mon]

This tab lists email addresses designated to receive alerts from monitoring probes. To set up alerts, click create new method and fill in the fields accordingly. To receive pager-style messages, select the associated Message Format check box to have the messages sent in a shorter format. When finished, click Create Method. The method shows up in the methods list, where it can be edited and deleted.

If a notification method has probes attached, they are listed as well. If you are a monitoring administrator but don't have management rights for a system, its System Details and probe's Current State page are not accessible via links in their names. As always, SUSE Manager administrators have full access to all aspects of your SUSE Manager account.

10.2. User List > Deactivated — [Mgmt]

The list of deactivated users also allows you to reactivate any of them. Click the check box to the left of their name and click the Reactivate button then the Confirm button. Reactivated users retain the permissions and system group associations they had when they were deactivated. Clicking a user name shows the User Details page.

10.3. User List > All — [Mgmt]

The All page lists all users that belong to your organization. In addition to the fields listed in the previous two screens, the table of users includes a Status field. This field indicates whether the user is Active or Deactivated. Deactivated users are also grayed out to indicate their status. Click on the user name to see the User Details page.

Chapter 11. Monitoring — [Mon]

If you click the Monitoring tab on the top navigation bar, the Monitoring category and links appear. If you do not see the tab, activate monitoring in Admin+SUSE Manager Configuration+General and click the Enable Monitoring check box.

Manage the configuration of your monitoring infrastructure and view the results of probes monitoring entitled systems.

Initiate monitoring of a system through the Probes tab on the System Details page. Refer to Section 3.2.14, “System Details” for a description of the tab. See Appendix B, Probes (↑Reference Guide) for the complete list of available probes.

11.1. Status — [Mon]

[Important]

The Monitoring entitlement is required to view this tab.

Click Monitoring in the top navigation bar to see the Probe Status List. The page displays the summary count of probes in the various states and provides a simple interface to find problematic probes quickly. Note that the total number of probes displayed in the tabs at the top of the page may not match the numbers of probes displayed in the tables below. The counts at the top include probes for all systems in your organization, while the tables only display probes on those systems you have access to as system group administrator. Also, the probe counts displayed here may be out of sync by as much as one minute.

The following list describes each state and identifies the icons associated with them:

  • — Critical: the probe has crossed a critical threshold.

  • — Warning: the probe has crossed a warning threshold.

  • — Unknown: the probe is not able to accurately report metric or state data.

  • — Pending: the probe has been scheduled but not yet run or is unable to run.

  • — OK: the probe is running successfully.

The Probe Status List page contains tabs for each of the possible states, as well as one that lists all probes. Each table contains columns indicating probe state, the monitored system, the probes used, and the date and time the state was last updated.

In these tables, clicking the name of the system takes you to the Monitoring tab of the System Details page. Clicking the name of the probe takes you to its Current State page. From there, you may edit the probe, delete it, and generate reports based on its results.

Monitoring data and probe status information available on the Web interface of SUSE Manager can also be exported as a CSV file. Click on the Download CSV links throughout the Monitoring pages to download CSV files of relevant information. The exported data may include, but is not limited to:

  • probe status,

  • all probes in a given state (OK, WARN, UNKNOWN, CRITICAL, PENDING),

  • a probe event history.

11.1.1. Probe Status > Critical — [Mon]

[Important]

The Monitoring entitlement is required to view this tab.

The probes that have crossed their critical thresholds or reached a critical status by some other means. For instance, some probes become critical (rather than unknown) when exceeding their timeout period.

11.1.2. Probe Status > Warning — [Mon]

[Important]

The Monitoring entitlement is required to view this tab.

The probes that have crossed their warning thresholds.

11.1.3. Probe Status > Unknown — [Mon]

[Important]

The Monitoring entitlement is required to view this tab.

The probes that cannot collect the metrics needed to determine probe state. Most but not all probes enter an unknown state when exceeding their timeout period. This may mean that the timeout period should be increased, or the connection cannot be established to the monitored system.

It is also possible the probes' configuration parameters are not correct and their data cannot be found. This state may also indicate that a software error has occurred.

11.1.4. Probe Status > Pending — [Mon]

[Important]

The Monitoring entitlement is required to view this tab.

The probes whose data have not been received by SUSE Manager. This state is expected for a probe that has just been scheduled but has not yet run. If all probes go into a pending state, your monitoring infrastructure may be failing.

11.1.5. Probe Status > OK — [Mon]